Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 AM
Connect Directly

SOA Interoperability Not Enough

WS-Policy interoperation is a good start, but more needs to be done

Layer 7 Technologies last week announced the interoperability of its security technology with application servers from several major vendors, using a proposed standard that could lead to easier security administration in Web services environments.

The XML gateway company said it has achieved interoperability with app servers and middleware from IBM, SAP, BEA, Sun, and Microsoft, using Web Services Policy (WS-Policy), which defines a framework for the use and transport of Web services.

The WS-Policy specification will make it easier for Web services users to define the requirements--including security rules--for linking Web services applications. For example, a WS-Policy could require that a request be encrypted and signed with a specific algorithm, or that it should be compressed. Web services use the policy to establish a trusted interface between applications and ensure that security requirements have been met.

"The WS-* suite is full of specifications no one needs, but WS-Policy is critical for centralized management, change control, and rapid deployment of services," says Scott Morrison, Director of Architecture for Layer 7.

Anne Thomas Manes, VP and research director at Burton Group, agrees. "The lack of a standardized policy framework is a big hole, and needs to get standardized as quickly as possible. Today, there is no centralized way to configure Web services, which means Web services need to be configured individually."

The WS-Policy specification was submitted to the W3C on April 25, and still must work its way through the standardization process. "Demonstrating interoperability is important, because it shows the industry and standards bodies that interoperability is practical today," says Phil Watson, senior product manager for Layer 7.

Thomas Manes and other experts agree that standardization and limited interoperability are a good start. But until the Web Services Interoperability (WS-I) group publishes an interoperability profile that removes ambiguity in the specifications, the value of an interoperability test is limited, they say.

Final approval of the WS-I profiles is still at least a year or two away, according to observers. In the meantime, enterprises should require vendors to demonstrate interoperability between products or use a Web services proxy to do the work, experts advise.

— Mike Fratto, Editor at Large, Dark Reading

Organizations mentioned in this story

  • BEA Systems Inc. (Nasdaq: BEAS)
  • IBM Corp. (NYSE: IBM)
  • Microsoft Corp. (Nasdaq: MSFT)
  • SAP AG (NYSE/Frankfurt: SAP)
  • Sun Microsystems Inc. (Nasdaq: SUNW)

    Mike Fratto is a principal analyst at Current Analysis, covering the Enterprise Networking and Data Center Technology markets. Prior to that, Mike was with UBM Tech for 15 years, and served as editor of Network Computing. He was also lead analyst for InformationWeek Analytics ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    DevSecOps: The Answer to the Cloud Security Skills Gap
    Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
    Attackers' Costs Increasing as Businesses Focus on Security
    Robert Lemos, Contributing Writer,  11/15/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-11-21
    ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
    PUBLISHED: 2019-11-21
    btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
    PUBLISHED: 2019-11-21
    __btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
    PUBLISHED: 2019-11-20
    A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
    PUBLISHED: 2019-11-20
    A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.