Book review: XML security books
When you read the XML specification, you will notice that it contains no notion of security. Critical security functionalities such as encryption, digital signatures, and authentication are simply not part of the XML standard. XML is similar to many other protocols, languages, and operating systems in that it was originally developed without any thought to security and privacy. It is only after serious security vulnerabilities are discovered and publicized that they are patched. But this find, patch, fix mentality of information security is dangerous in that security problems can exist for months or years before they are found.
Similarly within XML, much of the security functionality has been added post-facto, namely in Canonical XML, XML Signature, and XML Encryption Syntax and Processing. By adding security to the core feature set of XML, the W3C has ensured that, to a degree, the find, patch, fix method won't be the manner in which XML security is developed.
A good reference book can help you navigate this XML security landscape. A pair of recent books, Secure XML: The New Syntax for Signatures and Encryption and XML Security do a good job of showing how XML can be made secure.
[ Read more ]