An emerging XML Web services security infrastructure

Anybody who's been following application development trends for any time knows that Web Services is fast becoming the veritable "hot seat" of the development world. It's where the action (and the money) is, and has become a line of business if not an outright obsession for everybody from Apple to Zend, with little outfits like Microsoft, IBM, Sun and others happily carving out their own little domains.

But on the Internet, not only may nobody know you're a dog, everybody is also likely to cross your transom at one time or another. Thus, interoperability, information exchange and trust have become huge issues. Likewise, the Internet has shown the hard, cruel, unflinching light of reality harder on little design flaws in interfaces and applications more regularly (and often, more damagingly) than other forms of use have allowed. Buffer overflows, lack of input validation and naÏve assumptions about user intentions and capabilities have led to great, big, gaping holes in supposedly secure infrastructures and in operating systems, runtime environments and applications alike. On the Internet everybody shares the same security problems.

What's a body to do? The W3C and OASIS are two cooperating bodies that are hard at work at defining an increasingly able and sophisticated Web of interfaces and specifications aimed to up the security ante for Web services. These include (but are not limited to) the following:

This infrastructure will ultimately consist of a set of modular specif

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT XML Developer Use the soapUI software tool to tame WSDL WSDL 2.0, new messaging for Web services Using RELAX NG For data integration Efficient XML Interchange tackles data verbosity XML to DDL imports, synchronizes database schemata The basics of MathML 3.0 Migrating to XSLT 2.0 What's up with XML 2.0? Say hello to XPath 2.0 Podcasting software covers many bases XML security Verizon uses BPEL app to cut down on code, check for fraud, and go green Layer 7 adds SPARC Oracle maps heterogeneous data services strategy for SOA Partnership aims at governance for SOA and Web 2.0 SOA, Web services create software security challenges Efficient XML Interchange tackles data verbosity XML to DDL imports, synchronizes database schemata The case against WS-Security Layer 7 offers SOA 'virtual soft-appliance' XQuery 1.0: A long time coming, now what? WS-SX Web Service Test Forum launched by vendors WSO2 releases C and PHP frameworks Burton: WS-* specs good, but SOA security needs more WS-Trust goes Ping Web services security specs hit the standards track New security standards seek to establish trust Standards, tools vital to Web services security XML Security Tutorial Giants pressured to submit Web services specs to OASIS Determining from WSDL if a Web service supports XML signature

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ications (use the ones you need, ignore the ones you don't) to standardize concepts, WSDL documents and XML Schema renderings so that trusted brokering of SOAP messages may occur, shared security contexts be established and security policies stated and checked for compliance.

Other key related efforts at OASIS include the Web Services Reliable Exchange (WS-RX) project, the Web Services Transaction (WS-TX) project and the Web Services Security committee. Key goals include developing functions to state security policy expressions and to maintain ongoing conversations (exchanges of information) over time.

The clear thrust of these developments is to define standard service building blocks that developers can use to establish, maintain and assess security as it relates to policy, communications and information exchange. Though mastering the many bits and pieces involved can take considerable time, effort, and energy the benefits are substantial enough to persuade companies like IBM, Microsoft, Adobe, BEA Systems, Computer Associates, Novell, Oracle, SAP and VeriSign to build support for these specifications. Smart developers everywhere would be wise to do the same. Start digging in at the OASIS Security Committee headquarters online.

About the author
Ed Tittel is a full-time writer and trainer whose interests include XML and development topics, along with IT Certification and information security topics. E-mail Ed with comments, questions, or suggested topics or tools for review.