Eve Maler on Web Services Security


Eve Maler is vice-chair of the WS-I Basic Security Profile Working Group and currently coordinating editor of the SAML (Security Assertion Markup Language) committee. This recent webservices.org interview with Eve on Web services security is worth reading. One thing that comes out loud and clear is that there's not going to be a magic bullet to Web services security issues. We shouldn't expect one. Rather than deter you from starting on Web services, however, this should induce you to not wait for the next standard or specification. There are solutions that work now. Eve says:

Web services are currently being secured in very traditional ways, to the extent that they're being secured at all. Web services on the Internet, as opposed to behind a firewall, might be secured with HTTPS SSL mechanisms, which are quite common in online individual purchase transactions. It does a fairly good job of protecting the contents of the message while in transit. However, in more complex Web services scenarios, this solution won't always be adequate. If many intermediaries are transacting with the messages as they go from initial sender A to ultimate receiver B, the simple SSL solution might not be adequate. The standards are not cooked yet for securing the content of the message and the channel in all the ways that people would want.

I don't disagree, but most people are trying to implement the complex scenarios that require more complicated security standards at present.