Foreword by Nicholas Allen

The computer industry has come to a realization—based on many years of slowly learning from painful experiences—that computer networks are hostile environments. Nevertheless, computer users demand as part of their basic expectations that applications take advantage of the ubiquitous and continuously available connectivity at their disposal to deliver a rich connected experience.

It is now your task to design and assemble the loosely coupled service components that you have available in a way that blunts threats and thwarts attacks on the user's precious assets. Your applications must withstand the hazards of living in a hostile networked environment. To make that possible, you must understand the risks that your applications face and you must be certain that the remedies you put in place properly mitigate the dangers of those risks.

As someone who has been through several rounds of security and threat modeling for Windows Communication Foundation, I can say without hesitation that knowledge and experience are your greatest assets for designing secure Web service applications. The trick is to gain as much of that knowledge as possible from the painful experiences of other people rather than painful experiences of your own.

J.D. Meier and team have done a fantastic job of assembling and digesting countless practical experiences into a convenient and centralized resource. Practitioners of service-oriented development with WCF will want to use this guide as both a means of learning about the fundamentals of Web service security and a reference for getting specific, step-by-step instructions for dozens of the most common security problems. I enjoy that this guide collects together several different approaches for learning about and implementing security solutions. By combining a variety of formats—scenarios, how-to articles, and guidelines are only a sample of the offered modes—solutions are both reinforced and made more easily discoverable through different entry points.

The reason that I'm so excited to see Improving Web Services Security:Scenarios and Implementation Guidance for WCF is that having a secure system has become such a deep and pervasive requirement that security has to be treated as part and parcel of functionality. Having the guide to make WCF security understandable and accessible adds value to the WCF platform by improving its usability as a whole. I highly recommend this book to anyone involved in the development, deployment, or management of WCF applications. This book has something of value for you whether it is read end to end or consumed tactically in parts to solve a specific problem. Security is too intrinsically important to pass up this aid to your success.

Nicholas Allen

Program Manager, Windows Communication Foundation

May 2008