The companies and programmers responsible for defining the standards to be used for Web services have begun addressing security issues in earnest.
The biggest step so far is the release in April of WS-Security, a set of extensions to the Simple Object Access Protocol (Soap), a widely accepted means of enabling Web services computers to talk to each other.
The WS-Security extensions, developed by IBM, Microsoft and Verisign, define a means of encrypting Soap messages and making sure they are not tampered with while in transit between computers.
Because Soap is based on extensible mark-up language (XML), the methods proposed by WS-Security are based on methods built into the XML specifications already approved by the World Wide Web Consortium (W3C), one of the major standards-setting bodies for the Internet.
In a Web services world, the computers running a merchant's online checkout counter might talk automatically to the servers that verify credit-card purchases at a bank.
Using XML encryption and WS-Security protocols would ensure that messages requesting information or certain actions (such as debiting a customer's account) are genuine and generated by the computers that are authorised to do so. Or, in the future, when employees wish to access their own confidential information on servers hosted outside their company, these built-in security mechanisms will help them verify their identity and access this information.
Aside from WS-Security, the consortium of companies plans to introduce other related protocols over the next year and a half: WS-Policy, WS-Trust and WS-Privacy, WS-Secure Conversation, WS-Federation and WS-Authorization. The last three are meant to help users communicate securely with applications that use a different underlying technology. This will be crucial, as there are several groups now defining their own sets of languages for Web services and so far there is no agreement on which languages will become the standards for the Web services world.
