Gates steps up web services security

Microsoft has released a toolkit designed to help software programmers tighten security in web services applications.

The toolkit, called Web Services Enhancements (WSE) version 2, will let companies use the latest security capabilities from Microsoft and other software giants like IBM and Sun Microsystems. The software makers are bolstering security in an effort to drive adoption of web services software.

Web services are a set of programming conventions and XML-based standards for building applications that can share information easily. Businesses are currently using web services as a way to transport data between disparate systems. But tighter security for data transmitted via the internet and private networks remains a barrier to wide-scale usage, according to analysts and customers.

WSE version 2 is designed to simplify the process of securing communications between parties and of ensuring the identity of people in a business transaction, according to Microsoft executives. The toolkit implements a number of security-related specifications that were co-authored by Microsoft, including WS-Policy, WS-SecurityPolicy, WS-Trust, WS-SecureConversation and WS-Addressing.

These published specifications, which are not yet widely adopted industry standards, are designed to work with Web Services Security, another Microsoft-backed security specification now being standardized at OASIS, the Organization for the Advancement of Structured Information Standards.

WSE version 2 is available from Microsoft's developer website. Eventually, Microsoft will add the capabilities to its Visual Studio.Net development tool and the .Net Framework, the software 'plumbing' needed to run web services applications on Windows operating systems.

Microsoft is using the latest web services security mechanisms even though the various specifications are likely to change, according to Microsoft executives. However, the toolkit introduces a programming technique that will allow software developers and administrators to establish security policies that can be altered without having to rewrite existing code.

For example, a company could write a policy that would give network administrators access to corporate servers during working hours, but not after-hours. Using the policy authoring mechanisms in the WS-Policy and WS-SecurityPolicy, a developer can alter the policy without having to completely rewrite the application code, noted Rebecca Dias, product manager for advanced web services at Microsoft.

The toolkit also introduces the ability to transport XML documents using several protocols, including both HTTP (Hypertext Transport Protocol) and TCP (transmission control protocol), which will make it simpler to build web services applications for non-PC devices and wireless applications, Microsoft executives said.

Martin LaMonica writes for CNET News.com