Prevent a Web Services Insecurity Complex

Feeling insecure about Web services? Some companies still are.

But a new report out this week by research firm Burton Group says a
patchwork of emerging security standards should prove a healthy remedy.
And all it will take is quick work and cooperation by Web services
players like Microsoft , IBM and their partners.

In a paper titled WS-*: A Composable Architecture for Web Services
, the analyst firm says Web services may be hot, but asks whether they are
secure?” Authors Dan Blum and Anne Thomas Mane found the current WS-Security
standard is a good start, but it is only the

“Through Web services, the industry has an opportunity to create a
network application platform that enables applications to consume services
that interoperate with other applications, even if the various applications
were built on different operating systems with different tools. But security
and policy must be part of the equation,” the authors said in their report.

Microsoft and IBM’s solution is an initiative called WS-* (pronounced “WS
star”). The project is a combination of WS-Security along with WS-Policy,
WS-Federation, WS-Trust and WS-SecureConversation. The combined technologies
are also designed to interoperate with existing security models.

Using XML, the companies said WS-*’s WS-Policy assertions can encapsulate
information encoded in existing policy languages. Likewise WS-*’s
WS-Security and WS-Trust specifications can encapsulate username/password,
X.509 certificate, Kerberos, SAML, eXtensible rights Markup Language (XrML),
and other security token formats.

In contrast, the current options include using Secure Socket Layers (SSL)
for Web services interactions. Evans Data Corp.’s May survey found seven
out of 10 respondents expect to use SSL for Web services interactions and
35 percent also plan to use XML Encryption followed by XML Digital
Signatures at 33 percent.

“SSL was originally designed for business-to-consumer transactions on the
Internet. However, SSL is gaining a new role, as seventy percent of
respondents expect to use the security mechanism for Web services
interactions as well,” Evans Data analyst Joe McKendrick said. “The problem
is that SSL does not provide the audit trail that is required for most B2B
transactions. The use of digital signatures provides that audit trail and 79
percent of developers using digital signatures are using it in conjunction
with SSL.”

Burton’s advice to Microsoft, IBM and other companies like BEA, CA, Layer
7, Netegrity, Oblix, OpenNetwork, PingID, Reactivity, RSA, SAP, VeriSign,
and Westbridge is to turn over the less developed specifications as soon as
possible to the Organization for the Advancement of Structured Information
Standards (OASIS) for independent security review and convergence with other
OASIS specifications.

“Except for WS-Security, the WS-* group is still at an early stage and
need additional review, rewrites, and proof of concept testing,” Burton’s
authors said. “WS-Policy and WS-Federation are less far along than WS-Trust
and WS-SecureConversation. None of the specifications except WS-Security has
been submitted to OASIS or any other open standards group, and this – along
with WS-Federation’s overlaps with the Security Assertion Markup Language
(SAML) and the Liberty Alliance specifications – has caused considerable

“Yet Microsoft and IBM have committed to providing the
specifications to an open standards body on a royalty free (RF) basis. Thus,
WS-* specifications take an open and architecturally holistic approach that
could ultimately be of great value in delivering the network application

Burton said the idea is that WS-Security will gradually replace the use
of SSL and virtual private networks (VPNs) to secure SOAP.

“If basic WS-Trust and WS-SecureConversation functionality were to join
WS-Security at OASIS, they might also move forward more rapidly toward
broader acceptance, and there would be an opportunity for enhanced
convergence with SAML 2.0,” the report said.

But Microsoft and IBM will need to get their act together. As it stands,
Burton’s analysts estimate the testing and integration process could take a
minimum of five years to complete.

That may be a little easier said than done. Burton said Microsoft, IBM,
and partners have a firm control over the specification process for all WS-*
specifications, except for WS-Security.

“While Microsoft and IBM allowed other vendors to jointly author or
provide feedback to WS-* specifications through a workshop process, they
required vendors to sign a ‘feedback agreement’ to renounce future
intellectual property rights (IPR) claims on the specifications and their
comments about the specifications,” Burton’s analysts said. “In principle,
the feedback agreement is positive because it supports the goal of creating
royalty free (RF) specifications, but concerns that the agreement may be too
open ended – coupled with concerns over entering a Microsoft and IBM
controlled process – have caused some vendors, who would ideally be
participating in the definition of Web services security standards, to
remain on the sidelines.”

Burton said another deal breaker is that large parts of the WS-Federation
specification duplicate work done already on the standards track in SAML, as
well as specifications from Liberty Alliance.

The analyst firm is expected to further outline its recommendation during
its annual Catalyst Conference next week.

News Around the Web