WS-Security products make their way to the shelves

Reactivity and RSA Security have both leapt on the latest security spec with new products to protect Web apps -- something they hope will encourage companies to invest in software-as-a-service projects.

Reactivity has taken an integrated hardware and software approach, while RSA has introduced its first pure Java product for securing Web services. Both are based on the recently-approved Web Services Security (WS-Security, or WSS) specification, which is considered a crucial building block for future standards.

Web services are a standardized way of integrating Web-enabled applications using the open XML, SOAP, WSDL and UDDI standards -- XML for tagging the data, SOAP for transferring it, WSDL for describing services available and UDDI for listing the services available. The technology allows applications to exchange data directly, without the need to gather intimate knowledge of another company's internal network, and as such can potentially be a secure and efficient way for businesses to communicate with one another and with clients.

However, standards and products are only now emerging to give businesses full, standardized security for these transactions, with the approval of WS-Security 1.0 by the Organization for the Advancement of Structured Information Standards (OASIS) in April, and the introduction of standards-based systems from the likes of RSA and Reactivity. "WS-Security is essential for securing a Web services environment," said Burton Group analyst Jim Kobielus. "It is central to the core of standards everyone is implementing, including XML, SOAP and WSDL."

Reactivity's secure deployment system

So, Reactivity this week introduced the two final pieces of its Secure Deployment System, the Reactivity Manager and the Reactivity Gateway 2400 series (formerly Reactivity XML Firewall). These join the Gateway-D desktop appliance and Gatekeeper server-side plug-in to form an integrated system, the company said.

Reactivity Manager is the first to provide "structured workflows for provisioning and rolling out secure Web services", according to the company. It includes what the company calls "one-click PKI", where security certificates and keys are done in one step.

Features such as this will allow Reactivity's suite to address more than just security and tackle broader issues in a company such as technical and organizational problems, said Reactivity chief executive and president Glenn Osaka.

The Gateway, meanwhile, sits in the network and acts as a destination for all Web services traffic, inspecting XML messages for security problems. It can detect attacks such as denial of service threats and take countermeasures.

The device includes version 4.0 of Reactivity's XML Operating System, hardware XML content processing from Tarari and nCipher's nForce 1600 hardware security module. This module is designed for scalable cryptographic acceleration and key storage. It can handle 1,600 new SSL connections per second, the company said.

RSA's BSafe SWS-J

RSA, meanwhile, has launched its BSafe Secure WS-J (SWS-J) encryption and digital signature software, which it said is one of the first commercially available Java systems to support WS-Security. The company said interoperability is key to the product -- it can be used with any standard Java console and with WS-Security-based gateways.

The software decrypts incoming SOAP messages or XML data, verifies digital signatures and validates the message's authentication token, and can insert tokens into outgoing messages, the company said. It uses XML Encryption and XML Digital Signing in compliance with WS-Security 1.0, and use of the Java Cryptographic Extensions (JCE) architecture allows it to use any JCE provider.

RSA also announced partnerships with gateway providers including Reactivity and its competitors DataPower Technology Inc., Forum Systems Inc., Layer7 Technologies Inc., Vordel Ltd. and Westbridge Technology Inc.

WSS in general

WS-Security 1.0 is a foundation specification, laying the groundwork for further Web services security infrastructure. It was originally submitted to OASIS two years ago by Microsoft Corp., IBM Corp. and VeriSign Inc., but other vendors -- including Sun Microsystems Inc. -- later contributed to the standard.

It is already supported by a number of vendors, including BEA Systems Inc., Computer Associates International Inc., Hewlett-Packard Co., IBM, Microsoft, Novell Inc., SAP AG and Sun. It is just a beginning, however, intended to pave the way for future specifications such as WS-Policy for security policies, WS-Privacy for implementing privacy practices, and WS-Federation for connecting trusted identity relationships across different systems.

All the components to Reactivity's suite are available now, with pricing based on the particular configuration. RSA's BSafe SWS-J is available now in a prerelease version, with the final version planned for the third quarter.

More about: BEA, BEA Systems, Burton Group, CA Technologies, DataPower Technology, Forum Systems, Gateway, Hewlett-Packard, IBM, Microsoft, nCipher, Novell, Organization for the Advancement of Structured Information Standards, RSA, The Security Division of EMC, SAP, Sun Microsystems, UDDI, VeriSign, Vordel

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/15/angry-ip-scanner/

Angry IP Scanner

Angry IP Scanner (or simply ipscan) is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia