New WS-I profile meshes SOA security and interoperability

By Rich Seeley, News Writer 04 Apr 2007 | SearchWebServices.com

News on SOA, EAI, Web services Digg This!     StumbleUpon     Del.icio.us

The Web Services Interoperability Organization (WS-I) seeks to strike a balance between SOAP security and its ability to play well with others.

I think this is a really important profile to have for people to make sure they're designing shareable, interoperable Web services that can interface securely. Anne Thomas Manes Vice President and Research Director, Burton Group Inc.

The new WS-I Basic Security Profile (BSP) 1.0 seeks to add the missing link of interoperability for Web services developers using the OASIS WS-Security standard and Secure Sockets Layer (SSL) technology.

Hailing the profile's publication at a launch event Tuesday, Anne Thomas Manes, vice president and research director Burton Group Inc., said "I think this is a really important profile to have for people to make sure they're designing shareable, interoperable Web services that can interface securely."

Since the millennium, the rap on Web services in general and SOAP in particular was that they were not secure, she recalled. However, she said even before OASIS ratified WS-Security two years ago this month, it was possible to make SOAP secure. Making sure secure SOAP technology was interoperable with heterogeneous systems in a service-oriented architecture (SOA) environment is now a problem that BSP solves.

She said one of the strengths of the profile is that it covers interoperability for WS-Security and SSL because to be on the safe side, she recommends that her clients use both.

The problem of interoperability for SOAP security was not a trivial one, according to Prateek Mishra, director of security standards at Oracle Corp., which contributed to the WS-I profile.

"The challenge was that security technology has literally hundreds of configurations," he explained in an interview following the BSP announcement. "People found that there was quite an issue with interoperability. Between partners using messaging middleware from different vendors it was very hard to interoperate without having a lot of agreements between them. And it's not a simple agreement. These agreements would be literally 15 pages of parameters."

Web services developers using messaging middleware and tools that support BSP will not have to worry about all that paperwork, Mishra said.

Manes said a common misunderstanding about Web services standards is that people think that is the end of the story and all the developer has to do is implement the specification and, presto, everything is hunky dory. But standards that cover a host of use cases and a variety technologies often present the developer with a confusing set of options.

"When you're a developer who is trying to implement a particular specification or trying to use a particular specification within an application, sometimes it's kind of hard to figure out how to interpret the specifics and the options that are supplied by a specification," she said. "Therefore that tends to lead to interoperability challenges."

The WS-I profiles guide developers through the maze of options and help them implement a given standard in an interoperable manner, Manes said. She goes so far as to advise clients that in most cases they should not try to implement a standard until there is a profile available for it. Along with the new security profile, she recommends that developers look at all the WS-I profiles for the current standards.

For more information Forrester narrows list of specs for Web services Check out our XML Security Learning Guide

"The original WS-I profiles, the WS-I Basic Profile, and the SOAP Profile and the Attachments Profile gave you basic information on how to use SOAP 1.1, WSDL 1.1, and UDDI 2.0, and the SOAP with attachments specifications," she said. "It was an enormous godsend to the industry because before we had the WS-I Basic Profile it was very difficult to make these specs interoperate."

Paul Cotton, Basic Security Profile Working Group chair, also recommends that Web services developers read the "Security Challenge, Threats and Counter Measures" document his group developed as their first step in creating BSP.

"This document was the first thing the working group actually did to analyze what the challenges were that could be presented against Web services, how those manifested as actual threats and what set of counter measures existed out in the technology sphere that could actually be used by Web services developers to handle those threats," Cotton said. "This is a very good introduction. Many people that write to me and ask questions about the security profile often find that their general questions are answered by the Security Challenges document."

Tags: XML security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT XML security Verizon uses BPEL app to cut down on code, check for fraud, and go green Layer 7 adds SPARC Oracle maps heterogeneous data services strategy for SOA Partnership aims at governance for SOA and Web 2.0 SOA, Web services create software security challenges Efficient XML Interchange tackles data verbosity XML to DDL imports, synchronizes database schemata The case against WS-Security Layer 7 offers SOA 'virtual soft-appliance' XQuery 1.0: A long time coming, now what? SOA and XML networking Crosscheck Networks acquires XML gateway maker Forum Systems Tibco creates high-speed messaging appliance Google Chrome shifts architects' equations as V8 powers the browser Hyperic offers Web app management Appristry offers new fabric for SOA virtualization Client-side monitoring for Web services Preventing NOA in SOA Efficient XML Interchange tackles data verbosity Layer 7 supports SOA on Solaris DataDirect releases new XML converters for SOA SOA strategy Road-mapping: An essential EA skill SOA 2009 Multimedia Library SOA for Dummies, 2nd Edition, by Judith Hurwitz Three tips for success in SOA New Microsoft language for SOA? Trends 2008: Outsourcing, agile development Is SAP the SOA leader? SAP new SOA strategy debated Goldman sees hard times for software SAP offers two paths to SOA SOA strategy Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary software  (SearchSOA.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary