News

OASIS Security Standards Bolster Web Services

OASIS Web services security standards may bolster adoption of technology outside of corporate middleware.

A pair of recently ratified OASIS security standards should help developers push Web services out from behind the enterprise firewall, but widespread adoption of the new protocols will likely take years, experts say.

Web services have been around for some years now but have seen limited use outside corporate middleware, analysts say, due to concerns over performance and security.

The latest Web services standards include WS-Trust 1.3, which helps ensure that security credentials exchanged over the Internet are legitimate, and WS-SecureConversation 1.3, which makes it possible to trade messages back and forth in a secure session without having to take the performance-slowing step of authenticating each one individually.

"I do think the standards will help further adoption of Web services, because they allow a greater degree of flexibility in how you can secure your Web services," says Microsoft Technical Diplomat Marc Goodner, who represents Redmond on standards bodies.

Optimistic Outlook
Gartner Inc. analysts Earl Perkins and Ray Wagner voiced an even more optimistic outlook in late March, a few days after the OASIS ratifications, concluding in a research bulletin that "the availability of these new standards means that Web services security has finally reached an acceptable maturity level."

But Forrester Research Inc. analyst Randy Heffner cautions that, while the standards represent "important progress," the broad adoption and accumulation of accepted best practices necessary for true standardization will take years to achieve. Forrester's latest surveys show roughly a third of vendors reported they plan to support WS-SecureConversation in some form, while about half said they planned to support WS-Trust.

Microsoft, which worked on the specifications along with IBM Corp. and Sun Microsystems Inc., shipped an early implementation of the standards in the Visual Studio "Orcas" community technology preview for March, Goodner says.

Early Adopter
Burton Group analyst Anne Thomas Manes says she knows of only one outside implementation of the two new standards so far: a Case Western Reserve University hospital app that aggregates federally protected medical data from operating room equipment over a network. Most current Web services and service-oriented architecture (SOA) implementations are secured, if at all, via HTTP and SSL, Manes says.

"That's fine as long as you're doing point-to-point connections. Most people are not doing particularly complex interactions at this point," Manes says. "When they start doing true service orientation in which you've got a service used in many different systems, not just point to point, I think you'll find [the new standards] being used."

She also expects Web services standards adoption to be driven in part by Windows Communication Foundation, the new cross-network communications subsystem set out in .NET Framework 3.0. "Windows Communication Foundation actually uses SecureConversation by default," Manes notes.
comments powered by Disqus

Featured

  • Compare New GitHub Copilot Free Plan for Visual Studio/VS Code to Paid Plans

    The free plan restricts the number of completions, chat requests and access to AI models, being suitable for occasional users and small projects.

  • Diving Deep into .NET MAUI

    Ever since someone figured out that fiddling bits results in source code, developers have sought one codebase for all types of apps on all platforms, with Microsoft's latest attempt to further that effort being .NET MAUI.

  • Copilot AI Boosts Abound in New VS Code v1.96

    Microsoft improved on its new "Copilot Edit" functionality in the latest release of Visual Studio Code, v1.96, its open-source based code editor that has become the most popular in the world according to many surveys.

  • AdaBoost Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the AdaBoost.R2 algorithm for regression problems (where the goal is to predict a single numeric value). The implementation follows the original source research paper closely, so you can use it as a guide for customization for specific scenarios.

  • Versioning and Documenting ASP.NET Core Services

    Building an API with ASP.NET Core is only half the job. If your API is going to live more than one release cycle, you're going to need to version it. If you have other people building clients for it, you're going to need to document it.

Subscribe on YouTube