• Solutions
  • Overview
  • Application Performance Management
  • Business Transaction Assurance
  • End-to-end Visibility
  • Exception Management
  • Root Cause Analysis
  • Service Level Management
  • Service Quality and Validation
  • Transaction Monitoring and Alerting
  • Service Oriented Architecture
    • SOA Management
    • SOA Governance
    • SOA Security and Compliance
  • SOA Portfolio
  • All Progress Solutions
• Products
  • Overview
  • Actional Diagnostics
  • Actional Application Development
  • Actional Enterprise
  • Actional for Sonic ESB Management
  • Product Literature
  • All Progress Products
• Services
  • Overview
  • Consulting Services
  • Education Services
  • Support Services
• Customers
• Partners
  • Overview
  • Partner List
  • Become a Partner
• Resources
  • Overview
  • White Papers
  • Webinars
  • SOA Blog
  • News Feeds
• Support
  • Actional
  • Apama
  • DataXtend
  • DataDirect
  • EasyAsk
  • IONA
  • ObjectStore
  • OpenEdge
  • Sonic
  • All Products
• News & Events
  • Overview
  • Press Releases
  • Media Coverage
  • Newsroom
  • Events
  • Workshops
  • Podcasts
  • Webinars
  • Awards
  • Quotes
  • Standards Leadership
• About Us
  • Overview
  • Leadership Team
  • Investor Relations
  • Careers
    • Overview
    • Search Jobs
  • Contact Us

Progress / Actional/Resources/White Papers

XML Web Services Security

XML-based Web services is poised to revolutionize Information Technology, much the same way that client server and Web-based applications did in the past decade. Through the use of protocols such as XML, SOAP, WSDL and UDDI, applications can more easily communicate with each other over Internet protocols, enabling faster and cheaper enterprise application integration, supply chain integration, distributed development and Internet-based service distribution models. But in order to gain wide acceptance, service networks must be able to count on standards for XML Web services security.

Register to download this white paper for free today.

Note: The items in BOLD are required fields. You must supply a valid email address to complete the registration.

First Name
Last Name
Company
Title
Job Category	[options] Architect Business Executive Business Manager Other Technical Executive Technical Manager Technical Staff
Industry	[options] Computer Software Consulting Distribution Education Financial Services Government Healthcare Insurance Manufacturing Other Retail Telecommunications Transportation Utilities
Email
Telephone
Address 1
Address 2
City
Country	-- United States Afghanistan Albania Algeria Andorra Angola Anguilla Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Brazil Virgin Islands, British Brunei Darussalam Bulgaria Burkina Faso Burma Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Colombia Costa Rica Croatia Cuba Cyprus Czech Republic Congo, The Democratic Republic of the Denmark Djibouti Dominica Dominican Republic East Timor Ecuador Egypt El Salvador Eritrea Estonia Ethiopia Fiji Finland France Gabon Georgia Germany Ghana Greece Greenland Grenada Guadeloupe Guam Guatemala Guinea Guyana Haiti Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Ivory Coast Jamaica Japan Jordan Kazakhstan Kenya Kuwait Kyrgyzstan Lao People's Democratic Republic Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Mauritania Mauritius Mexico Micronesia, Federated States of Moldova Monaco Mongolia Montserrat Morocco Mozambique Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Korea, Democratic People's Republic of Norway Oman Pakistan Panama Papua New Guinea Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Congo, The Democratic Republic of the Romania Russia Rwanda Saint Lucia Saudi Arabia Senegal Serbia and Montenegro Sierra Leone Singapore Slovakia Slovenia Somalia South Africa Korea, Republic of Spain Sri Lanka Sudan Suriname Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania, United Republic of Thailand Togo Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Uganda Ukraine United Arab Emirates United Kingdom Uruguay Uzbekistan Vanuatu Venezuela Vietnam Western Sahara Western Samoa Yemen Yugoslavia Zambia Zimbabwe
State/Prov	-- - - -Argentina - - - Buenos Aires Capital Federal Catamarca Chaco Chubut Cordoba Corrientes Entre Rios Formosa Jujuy La Pampa La Rioja Mendoza Misiones Neuquen Rio Negro Salta San Juan San Luis Santa Cruz Santa Fe Santiago del Estero Tierra del Fuego Tucuman - - -Australia - - - Australian Capital Territory New South Wales Northern Territory Queensland South Australia Tasmania Victoria Western Australia - - -Brazil - - - Acre Alagoas Amapá Amazonas Bahia Ceará Distrito Federal Espirito Santo Goiás Maranhão Mato Grosso Mato Grosso do Sul Minas Gerais Pará Paraíba Pernambuco Piauí Paraná Rio de Janeiro Rio Grande do Norte Rôndonia Roraima Rio Grande do Sul Santa Catarina São Paulo Sergipe Tocantins - - -Canada - - - Alberta British Columbia Manitoba New Brunswick Newfoundland and Labrador Northwest Territories Nova Scotia Nunavut Ontario Prince Edward Island Quebec Saskatchewan Yukon - - -Ecuador - - - Azuay Bolivar Canar Carchi Chimborazo Cotopaxi El Oro Esmeraldas Guayas Imbabura Loja Los Rios Manabi Morona-Santiago Napo Orellana Pastaza Pichincha Sucumbios Tungurahua Zamora-Chinchipe - - -Japan - - - Aichi Akita Aomori Chiba Ehime Fukui Fukuoka Fukushima Gifu Gumma Hiroshima Hokkaido Hyogo Ibaraki Ishikawa Iwate Kagawa Kagoshima Kanagawa Kochi Kumamoto Kyoto Mie Miyagi Miyazaki Nagano Nagasaki Nara Niigata Oita Okayama Okinawa Osaka Saga Saitama Shiga Shimane Shizuoka Tochigi Tokushima Tokyo Tottori Toyama Wakayama Yamagata Yamaguchi Yamanashi - - -Mexico - - - AGS BC BCS CAMPEC CHIH CHIS COAH COL DF DGO GRO GTO HGO JAL MEX MICH MOR NAY NL OAX PUE QRO QUINTA SIN SLP SON TAB TAM TLAX VER YUC ZAC - - - Peru - - - Amazonas Ancash Apurimac Arequipa Ayacucho Cajamarca Callao Cusco Huancavelica Huanuco Ica Junin La Libertad Lambayeque LIMA Loreto Madre de Dios Moquegua Pasco Piura Puno San Martin Tacna Tumbes Ucayali - - - UK - - - Aberdeenshire Avon Ayrshire Bedfordshire Berkshire Buckinghamshire Cambridgeshire Carmarthenshire ChannelIslands Cheshire Cleveland Clwyd Cornwall CountyDurham Cumbria Denbighshire Derbyshire Devon Dorset Dyfed EastLothian EastSussex Essex Fife Gloucestershire Grampian GreaterLondon GreaterManchester Guernsey Gwent Gwynedd Hampshire Herefordshire Hertfordshire Humberside Invernesshire IsleofMan IsleofWight Jersey Kent Lanarkshire Lancashire Leicestershire Lincolnshire Merseyside Mid-Glamorgan Middlesex Monmouthshire Norfolk NorthEastSomerset NorthYorkshire Northamptonshire NorthernIreland Northumberland Nottinghamshire Oxfordshire Powys Renfrewshire Rosshire Scotland Shropshire Somerset SouthGlamorgan SouthGloucestershire SouthYorkshire Staffordshire Stirlingshire Suffolk Surrey Tyne&Wear Wales Warwickshire WestGlamorgan WestLothian WestMidlands WestSussex WestYorkshire Wiltshire Worcester ---USA--- AK AL AR AZ CA CO CT DC DE FL GA HI IA ID IL IN KS KY LA MA MD ME MI MN MO MS MT NC ND NE NH NJ NM NV NY OH OK OR PA RI SC SD TN TX UT VA VT WA WI WV WY
Postal Code

Background on Web Services, SOA, XML

XML Web services has had unprecedented support from many of the major vendors including SAP, Siebel, PeopleSoft, Oracle, Sun, IBM and Microsoft with their .NET framework.

Web services is also behind most service-oriented architecture (SOA) implementations today. In addition, the technology is easy to implement: a fact that drastically reduces Web service cost and development time, but at the same time dramatically increases the security risk.

SOAP allows applications to easily communicate with each other using XML, presenting a challenge for Web services security

XML Web services interfaces are XML-based and loosely coupled in practice. XML and SOAP allow any systems to communicate with each other, whether it be an Office XP desktop application or a mainframe system. Over time, as there is pressure to automate business functions, there will be a need to integrate additional diverse systems as part of a broader Web Service environment. This "ecosystem" has some or all of the following characteristics:

• Decentralized in architecture
• Decentralized in administration
• Heterogeneous in implementation technologies
• Connections across multiple departments
• Connections across multiple enterprises
• Peer-based architecture
• Open to the public Internet

Any of these characteristics presents challenges to the overall security of the system. How do you enforce a Web services security policy across an entire environment with multiple heterogeneous systems? How do you ensure that security policies are enforced particularly with "desktop administrators"? How do you work with an outside vendor that is weak in security? How do you Web enable a legacy application that was never designed to be exposed to the public Internet? How can you monitor and audit activity and administrate access across multiple heterogeneous systems? How do you protect an interface implemented using new technology that has much more functionality exposed?

XML Web Services Security: Ready for Production?

XML Web services is a set of protocols and technologies that many believe will change the IT landscape within the next few years. However, the mostly true perception that there are serious issues with Web services and security is preventing the widespread adoption of XML Web services. While there is no way that any system can be completely secure, a greater understanding of the issues, better policies and procedures, better standards and supporting technology can provide many enterprises with adequate protection today for certain deployments. While it's not going to happen overnight, many companies and standards bodies will soon solve these problems.

Security Risk Prevents Widespread Adoption

The number-one concern that prevents many enterprises from implementing Web services in a meaningful way is the lack of understanding of what the security risks are. Many IT managers are dabbling in Web services and have plans to implement in the fictitious "3-6 month timeframe" but are afraid to seriously commit resources until "somebody else has gone first."

Common questions are:

• Will standard firewalls and intrusion detection systems be sufficient?
• What are the details of Web services authentication and authorization?
• Web services encryption: Can I rely on SSL, VPNs and dedicated lines to protect my traffic?
• How do I avoid the most common Web services attacks
• Web services threats: Will hacker attacks be the same as the ones I expect on my own Web site?
• Vendor Support for Emerging Security Standards: Can I rely on vendors to provide adequate protection?
• Will there be a protocol developed that secures my network?

The quick answers to these questions are "no" – although current technologies can provide some level of protection in a controlled environment. While standard Web-based traffic involves HTML from browser to server, Web services traffic can involve application APIs sending data to each other over HTTP, HTTPS, SMTP, wireless and other mediums. Instead of a web server processing HTML, applications will be consumers and producers of SOAP wrapped messages. An application can be both a Web services consumer and a Web service provider. Each Web Service application interface may have hundreds of operations that can be accessed, providing hackers and other individuals (whether intentionally or unintentionally) with new and harder-to-detect ways of compromising systems.

Hindrances to Web Services Growth

Until IT managers are more confident of XML Web Services security standards – or of the availability of products to secure their services networks – Web services will be hindered in its complete adoption. One purpose of this tutorial is to set forth the security threats as they have been identified, and to outline methodologies for coping with these threats.

For More Information

Find out more about XML Web services security. Learn how Actional runtime governance secures your services: download the free webinar, SOA Governance: Where the Rubber Meets the Runtime