MS Secures Web Services
Web Design & Technology News, July 15, 2003

July 15, 2003

Microsoft (MSFT) released on Tuesday a toolkit designed to help software programmers tighten security in Web services applications.
By Martin LaMonicar

The toolkit, called Web Services Enhancements (WSE) version 2, will let companies use the latest security capabilities from MSFT and other software giants like IBM and Sun Microsystems. The software makers are bolstering security in an effort to drive adoption of Web services software.

Web services are a set of programming conventions and XML-based standards for building applications that can share information easily. Businesses are currently using Web services as a way to transport data between disparate systems. But tighter security for data transmitted via the Internet and private networks remains a barrier to wide-scale usage, according to analysts and customers.

WSE version 2 is designed to simplify the process of securing communications between parties and of ensuring the identity of people in a business transaction, according to MSFT executives. The toolkit implements a number of security-related specifications that were co-authored by MSFT, including WS-Policy, WS-SecurityPolicy, WS-Trust, WS-SecureConversation and WS-Addressing.

These published specifications, which are not yet widely adopted industry standards, are designed to work with Web Services Security, another MSFT-backed security specification now being standardized at OASIS, the Organization for the Advancement of Structured Information Standards.

WSE version 2 is available from MSFT's developer Web site. Eventually, MSFT will add the capabilities to its Visual Studio.Net development tool and the .Net Framework, the software "plumbing" needed to run Web services applications on Windows operating systems.

MSFT is using the latest Web services security mechanisms even though the various specifications are likely to change, according to MSFT executives. However, the toolkit introduces a programming technique that will allow software developers and administrators to establish security policies that can be altered without having to rewrite existing code.

For example, a company could write a policy that would give network administrators access to corporate servers during working hours, but not after-hours. Using the policy authoring mechanisms in the WS-Policy and WS-SecurityPolicy, a developer can alter the policy without having to completely rewrite the application code, noted Rebecca Dias, product manager for advanced Web services at MSFT.

The toolkit also introduces the ability to transport XML documents using several protocols, including both HTTP (Hypertext Transport Protocol) and TCP (transmission control protocol), which will make it simpler to build Web services applications for non-PC devices and wireless applications, MSFT executives said.