RealTime IT News

Prevent a Web Services Insecurity Complex

Feeling insecure about Web services? Some companies still are.

But a new report out this week by research firm Burton Group says a patchwork of emerging security standards should prove a healthy remedy. And all it will take is quick work and cooperation by Web services players like Microsoft , IBM and their partners.

In a paper titled WS-*: A Composable Architecture for Web Services Security, the analyst firm says Web services may be hot, but asks whether they are secure?" Authors Dan Blum and Anne Thomas Mane found the current WS-Security standard is a good start, but it is only the beginning.

"Through Web services, the industry has an opportunity to create a network application platform that enables applications to consume services that interoperate with other applications, even if the various applications were built on different operating systems with different tools. But security and policy must be part of the equation," the authors said in their report.

Microsoft and IBM's solution is an initiative called WS-* (pronounced "WS star"). The project is a combination of WS-Security along with WS-Policy, WS-Federation, WS-Trust and WS-SecureConversation. The combined technologies are also designed to interoperate with existing security models.

Using XML, the companies said WS-*'s WS-Policy assertions can encapsulate information encoded in existing policy languages. Likewise WS-*'s WS-Security and WS-Trust specifications can encapsulate username/password, X.509 certificate, Kerberos, SAML, eXtensible rights Markup Language (XrML), and other security token formats.

In contrast, the current options include using Secure Socket Layers (SSL) for Web services interactions. Evans Data Corp.'s May survey found seven out of 10 respondents expect to use SSL for Web services interactions and 35 percent also plan to use XML Encryption followed by XML Digital Signatures at 33 percent.

"SSL was originally designed for business-to-consumer transactions on the Internet. However, SSL is gaining a new role, as seventy percent of respondents expect to use the security mechanism for Web services interactions as well," Evans Data analyst Joe McKendrick said. "The problem is that SSL does not provide the audit trail that is required for most B2B transactions. The use of digital signatures provides that audit trail and 79 percent of developers using digital signatures are using it in conjunction with SSL."

Burton's advice to Microsoft, IBM and other companies like BEA, CA, Layer 7, Netegrity, Oblix, OpenNetwork, PingID, Reactivity, RSA, SAP, VeriSign, and Westbridge is to turn over the less developed specifications as soon as possible to the Organization for the Advancement of Structured Information Standards (OASIS) for independent security review and convergence with other OASIS specifications.

"Except for WS-Security, the WS-* group is still at an early stage and need additional review, rewrites, and proof of concept testing," Burton's authors said. "WS-Policy and WS-Federation are less far along than WS-Trust and WS-SecureConversation. None of the specifications except WS-Security has been submitted to OASIS or any other open standards group, and this - along with WS-Federation's overlaps with the Security Assertion Markup Language (SAML) and the Liberty Alliance specifications - has caused considerable controversy. "Yet Microsoft and IBM have committed to providing the specifications to an open standards body on a royalty free (RF) basis. Thus, WS-* specifications take an open and architecturally holistic approach that could ultimately be of great value in delivering the network application platform."

Burton said the idea is that WS-Security will gradually replace the use of SSL and virtual private networks (VPNs) to secure SOAP.

"If basic WS-Trust and WS-SecureConversation functionality were to join WS-Security at OASIS, they might also move forward more rapidly toward broader acceptance, and there would be an opportunity for enhanced convergence with SAML 2.0," the report said.

But Microsoft and IBM will need to get their act together. As it stands, Burton's analysts estimate the testing and integration process could take a minimum of five years to complete.

That may be a little easier said than done. Burton said Microsoft, IBM, and partners have a firm control over the specification process for all WS-* specifications, except for WS-Security.

"While Microsoft and IBM allowed other vendors to jointly author or provide feedback to WS-* specifications through a workshop process, they required vendors to sign a 'feedback agreement' to renounce future intellectual property rights (IPR) claims on the specifications and their comments about the specifications," Burton's analysts said. "In principle, the feedback agreement is positive because it supports the goal of creating royalty free (RF) specifications, but concerns that the agreement may be too open ended - coupled with concerns over entering a Microsoft and IBM controlled process - have caused some vendors, who would ideally be participating in the definition of Web services security standards, to remain on the sidelines."

Burton said another deal breaker is that large parts of the WS-Federation specification duplicate work done already on the standards track in SAML, as well as specifications from Liberty Alliance.

The analyst firm is expected to further outline its recommendation during its annual Catalyst Conference next week.