Preface

Security is everyone’s business.

It is especially so if you are in IT. At some point, you will have had to implement, or at least understand, the security aspects of applications. As an application designer, you might have been asked to come up with a security model for your application. If you are an IT administrator, you might have been charged with the task of configuring security for an application. It has been our experience that every architect, designer, developer, administrator, and information officer needs to understand the basics of security technologies.

Most practitioners of IT pick up the basics of security on the job. Almost everyone who has worked for a few years in IT has an intuitive feel for username/password–based authentication. A decade of practice with HTTPS has made many in the IT community familiar with PKI as well. However, the security concepts required for SOA cannot be learned by osmosis. Not only are there new security concepts and technologies that need to be understood, some of the most popular security practices turn out to be counterproductive when used in SOA implementations.