I would consider using Web services for some new applications, but I keep reading that we should not yet implement them because due to the lack of security. How secure are they?
Web services do not address security well, in the current state-of-the-art of the standard. Lacking is support for authentication, encryption, and access control. Indeed, Web services do not have the ability to authenticate publishers or consumers of the Web services.
The XML-Based Security Services Technical Committee from the Organization for the Advancement of Structured Information Standards (OASIS) is looking to shore up security within Web services with the Security Assertion Markup Language (SAML). This security standard allows organization to share authentication information between those they wish to share Web services with as partner organizations. Other emerging security standards include the XML Key Management Specification (XKMS), based on PKI (Public Key Infrastructure).
If you want secure Web services, unless you're willing to solve the problem yourself, you'll have to wait.
Dig Deeper on Topics Archive
Related Q&A from David Linthicum
David Linthicum explains what advanced business application programming (ABAP)/4 means. Continue Reading
David Linthicum defines Service Component Architecture (SCA) and Service Data Objects (SDO) and explains how to best build these components to enable... Continue Reading
David Linthicum explains how it is possible that Apache Tomcat is both a Web server and an application server. Continue Reading