SOA SECURITY TRAINING RESOURCES

Posted by Gary E Smith - THE SOA NETWORK at Monday, May 22, 2006 9:00 AM and is filed under SOA Network Security

Resources for SOA Network Security

Background


The evolution on SOA to SOA Hubs and SOA Networks means that the Network Security Professional must understand, at least the basics about SOA and to a greater degree its impact on their networks.  I have been involved in deployment of Web Services in a variety of environments and often times we never relied on anything more than SSL security.  This is fine for a closed user group (SOA Hubs) where your business services are tightly controlled.  However if the vision for a Service-Oriented Economy is to be realized we must think in terms of these business services potentially being exposed outside of this environment to environment where anyone can consume these business services.

 

 

What is so different about SOA Network Security?

 

Network Security in the past primarily focuses on the transport level and the tries to “lock down” your enterprise security environment in order to control access to your IT resources.  However the philosophy of SOA Network Security is counter-intuitive to this approach.  With Service-Oriented Environments you will need to focus on the message-level security as well as transport-level security and you will have to think in terms of expanding your security perimeter beyond you immediate control.  This is one of the most fundamental paradigm shifts you need to understand as a Network Security Professional - Service-Oriented Architecture is about exposing business services beyond your immediate enterprise to trusted partners and eventually to unknown partners.
 

 

Resources

 

I am not presently an expert in the area of SOA Network Security; however I am trying to get up to speed quickly.  I am constantly looking for resources on this topic and will update the listings.

 

Books

 

The availability of good books specifically on the topic of the application of security to web services and SOA is few and far between.  This is a short list of books that I have read:

 

Securing Web Services with WS-Security - Demystifying WS-Security, WS-Policy, SAML, XML Signature, and XML Encryption - Jothy Rosenberg, David Remy

 

- This is the best book that I have found so far on Web Service Security.

 

Web Service Security - Mark O'Neill, et al.

- I haven't had a chance to read, but the book is dating since it focuses on Web Services Security and not SOA Security.  Published in 2003.


Digital Identity – Unmasking Identity Management Architecture (IMA) - Phillip J Windley


- I recommend getting his book since Phillip understands the movement to and challenges of a service-oriented oriented economy – “One of the most dramatic shifts has been the rise of network-based, automated services.

 

 

Web Services Platform Architecture - SOAP, WSDL, WS-Policy, WS-Addressing, WS-BPEL, WS-Reliable Messaging, and More - Sanjiva Weerawarana, Francisco Curbera, et al


- This book is focused more on the overall Web Service standards and talks about security standards.

 

 

Hardening Network Security – Bulletproof you systems before you are hacked! - John Mallery, Jason Zann, Patrick Kelly, et al


- I have just started reading this book and it’s focus is network security in general.  It has one small chapter (Chapter 5) on Hardening Web Services.


SOA Security in Action (Not Yet Released) - Ramarao Kanneganti, Prasad Chdavarapu
http://www.manning.com/kanneganti/



Training

 

Security University

There are many companies that offer a variety of training and certifications on network security; however I haven’t been able to find anything specifically on SOA Network Security, until this weekend.  I found that Security University www.securityuniversity.net  offers a specific course on Message Based Security – SOA.

http://www.securityuniversity.net/classes_soa.php



Professional Education Strategies Group, Inc.

This organization offers a security training class focused on How to Extend Traditional Security Principles to SOA/Web Services.  Check out the class details and schedule at:

http://www.pesg.com/soa/security.html


 

Vendor’s Web Sites

 

I am primarily interested in finding agnostic oriented resources on the topic of SOA Network Security, therefore won’t go into detail of the various vendor’s web sites.  However they are worth checking out.



Web Sites

Check out this portal.  It has al lot of resources for web services security and SOA:

http://www.cgisecurity.com/ws/  


 

Additional Resources

 

I came across this web site on the internet.  Robert Bunge was a student at the University Washington - Tacoma http://www.tacoma.washington.edu/ and has been writing about SOA Network Security and other topics.  Check out his site at: http://repos.insttech.washington.edu/~rbunge/tcss559/index.html

 

 

If you have information about resources related to SOA Network Security please feel free to send it to me and I will add to a future update.


See SOA Security Training  www.soasecuritytraining.com
 

___________________________________________________

>> Back to Main Page

Gary E. Smith
SOA Security Architect

 del.icio.us  Stumbleupon  Technorati  Digg 

 
Trackbacks
Trackback specific URL for this entry
  • No trackbacks exist for this entry.
Comments
  • No comments exist for this entry.
Leave a comment

Submitted comments will be subject to moderation before being displayed.

 Enter the above security code (required)

 Name

 Email (will not be published)

 Website

Your comment is 0 characters limited to 3000 characters.