My talk on "Web services security standards overview" was well attended, even at 8 a.m. More important, Oasis held a concurrent forum on security standards Monday. Some thoughts follow.

The Hurwitz take: Developers are probably some of the smartest folks on the planet. Their job is highly complex (nothing like building a car, contrary to popular security belief, at least as relates to vulnerabilities), and their ingenuity in overcoming obstacles to "make it work" is beyond reproach. But I cringe when I sense that they might "spin their own" security solution. (This is the real reason people are so focused on security standards; they want to build it in and forget about it!) There I was, providing insight into how the standards and protocols work, and my final recommendation is, "Don't do it yourself!"

The most common question asked at these shows is, "Why can't I just use SSL?" So we are stuck having to justify security for our next-generation infrastructure. My response is, if SSL suffices, use it. But perhaps the real question is, "Why use Web services?" If SSL is sufficient, that means that your existing architecture (at least conceptually) won't change much, which makes me wonder why you are redeveloping into a Web service to begin with.

SSL is not persistent security and was not intended to integrate the types of distributed components we are looking for with Web services. XML Encryption and XML Signature (and WS-Security for SOAP messages) are the standards that must be implemented, or at least planned, for sufficient security over Web services transactions.

It sometimes feels as if we are condemned to repeat the mistakes of our past. We never learn that even the best developers in the world fall victim to buffer overflow attacks.

Looking for a ThreePeat
First published on September 20, 2002
By Bill Martorelli

Do you think current initiatives can make Web services secure? TalkBack below or e-mail us with your thoughts.

More from Hurwitz Research

View more research on hurwitz.com