Security concerns raised
- By Brian Robinson
- Jun 17, 2002
Security is important for Web services because, unlike static Web pages that simply display information, Web services are used to exchange data with remote systems, which opens a door on those systems to the outside world.
Simple Object Access Protocol (SOAP) and Web services actually bypass firewalls with Hypertext Transport Protocol port 80, which developers use as integration points of entry for business partners that rely on distributed applications, said Adam Kolawa, founder and chief executive officer of Parasoft Corp., a provider of error-prevention tools.
"However, those same [open] entry points could be used by hackers and viruses," Kolawa said.
One way to handle this would be to design around it. For example, you might use different machines for your application server and Web server. Even if people managed to penetrate the firewall, said Robert Wegener, director of solutions for RCG Information Technology, "if they can't run anything, they can't do anything."
Others feel security is not an issue. David Brown, .Net architect for Microsoft Corp., believes Web services can access the same kind of security that other HTTP-based traffic uses, "and no one seems to be afraid to put up a Web site because of security concerns."
Although some people look to Web services as an integration process, Brown said, others such as officials at Microsoft and IBM Corp. are looking to use the technology to provide distributed computing in the future.
"For that, you do need more complex security because that will entail such things as stitching services together, and the question there is how to provide security that can simultaneously cover, say, five different services," Brown said.
Security concerns are the major reason that most early Web services development is happening within organizations and government agencies, where a secure environment is provided by the enterprise firewall.
Early adopters might begin unveiling those services to the outside world early next year.
IBM, Microsoft and online security vendor VeriSign Inc. are working on a new specification called Web Services Security (WS-Security), a set of SOAP extensions that would bring the kinds of security technologies used in the broader World Wide Web into the Web services arena.
IBM and Microsoft officials say they plan to submit WS-Security to relevant standards organizations and expect to develop other specifications that would address other aspects of security, such as policy, trust and authentication.
Brian Robinson is a freelance writer based in Portland, Ore.