News

OASIS Security Standards Bolster Web Services

OASIS Web services security standards may bolster adoption of technology outside of corporate middleware.

A pair of recently ratified OASIS security standards should help developers push Web services out from behind the enterprise firewall, but widespread adoption of the new protocols will likely take years, experts say.

Web services have been around for some years now but have seen limited use outside corporate middleware, analysts say, due to concerns over performance and security.

The latest Web services standards include WS-Trust 1.3, which helps ensure that security credentials exchanged over the Internet are legitimate, and WS-SecureConversation 1.3, which makes it possible to trade messages back and forth in a secure session without having to take the performance-slowing step of authenticating each one individually.

"I do think the standards will help further adoption of Web services, because they allow a greater degree of flexibility in how you can secure your Web services," says Microsoft Technical Diplomat Marc Goodner, who represents Redmond on standards bodies.

Optimistic Outlook
Gartner Inc. analysts Earl Perkins and Ray Wagner voiced an even more optimistic outlook in late March, a few days after the OASIS ratifications, concluding in a research bulletin that "the availability of these new standards means that Web services security has finally reached an acceptable maturity level."

But Forrester Research Inc. analyst Randy Heffner cautions that, while the standards represent "important progress," the broad adoption and accumulation of accepted best practices necessary for true standardization will take years to achieve. Forrester's latest surveys show roughly a third of vendors reported they plan to support WS-SecureConversation in some form, while about half said they planned to support WS-Trust.

Microsoft, which worked on the specifications along with IBM Corp. and Sun Microsystems Inc., shipped an early implementation of the standards in the Visual Studio "Orcas" community technology preview for March, Goodner says.

Early Adopter
Burton Group analyst Anne Thomas Manes says she knows of only one outside implementation of the two new standards so far: a Case Western Reserve University hospital app that aggregates federally protected medical data from operating room equipment over a network. Most current Web services and service-oriented architecture (SOA) implementations are secured, if at all, via HTTP and SSL, Manes says.

"That's fine as long as you're doing point-to-point connections. Most people are not doing particularly complex interactions at this point," Manes says. "When they start doing true service orientation in which you've got a service used in many different systems, not just point to point, I think you'll find [the new standards] being used."

She also expects Web services standards adoption to be driven in part by Windows Communication Foundation, the new cross-network communications subsystem set out in .NET Framework 3.0. "Windows Communication Foundation actually uses SecureConversation by default," Manes notes.
comments powered by Disqus

Featured

  • .NET 11 Preview 6 Roundup: ASP.NET Core, MAUI, C#, EF Core and SDK Updates

    Microsoft's sixth .NET 11 preview advances async validation, C# unions, cross-platform UI controls, database queries, testing tools, Native AOT and container images.

  • Low-Coding in the Age of AI: Dataverse Embraces Copilot, Claude and Cursor

    Microsoft is extending Dataverse into coding-agent marketplaces while expanding its MCP tools, certification program and governance controls.

  • Visual Studio Takes Aim at Copilot Billing Shock

    Beyond Copilot usage visibility, the June update delivers several other enhancements centered on AI-assisted development, security and quality-of-life improvements. Here's a quick rundown of the remaining additions announced by Microsoft.

  • Claude AI Gets Yet Another Boost in VS Code 1.128

    The July 8, 2026, Visual Studio Code update expands agent workflows, chat attachments, browser-tab controls, OS-level shortcuts and enterprise telemetry management.

Subscribe on YouTube