Application Security Testing: An Integral Part of DevOps
The following press release was provided regarding the new standards approved by OASIS. Rather than rehash this information, I simply provide you with the press release. It is worht noting the various companies that were involved in seeing these standards approved.
Boston, MA, USA; 27 March 2007 -- OASIS, the international standards consortium, today announced that its members have approved WS-SecureConversation version 1.3 and WS-Trust version 1.3 as OASIS Standards, a status that signifies the highest level of ratification. Developed by the OASIS Web Services Secure Exchange (WS-SX) Technical Committee, these new standards define policies and extensions to WS-Security that enable the trusted exchange of multiple SOAP messages.
"In order to secure communication between two parties, both must exchange security credentials. Before that can take place though, each party needs to determine if they can 'trust' the asserted credentials of the other," explained Anne Thomas Manes, research director with the Burton Group. "Applications that communicate using the Web services framework (e.g., SOAP and WSDL) can use WS-Trust to obtain and exchange security credentials--either directly or through a trusted third party--and use WS-SecureConversation to establish and maintain an extended secure session."
WS-Trust provides methods for issuing, renewing, and validating security tokens as well as establishing, detecting, and brokering trust relationships. WS-SecureConversation allows security contexts to be created and key material to be exchanged more efficiently. Together, WS-Trust and WS-SecureConversation can increase the overall performance and security of exchanges.
"We defined the basic mechanisms for providing secure messaging in WS-Security," explained Kelvin Lawrence of IBM, co-chair of the OASIS WS-SX Technical Committee. Lawrence, along with WS-SX co-chair, Chris Kaler of Microsoft, previously led the WS-Security development effort at OASIS. "WS-Trust builds upon WS-Security by introducing an XML syntax and a protocol that enable the issuance and dissemination of credentials between different trust domains via a Security Token Service (STS)."
"WS-Security focuses on the security of a single message, which is useful in many situations," noted Kaler. "WS-SecureConversation adds a security context authentication model that is extremely beneficial for long-running exchanges. When two parties are passing multiple rounds of secured messages back and fourth, the added security and efficiency provided by WS-SecureConversation becomes essential."
IBM, Microsoft, and Sun Microsystems have verified successful implementations of WS-SecureConversation and WS-Trust, in accordance with eligibility requirements for all OASIS Standards.
Representatives of Adobe, AmberPoint, Axway, BEA Systems, BMC Software, CA, EDS, Forum Systems, Fujitsu, HP, IBM, IONA, Microsoft, Neustar, Nokia, Nortel, Novell, Oracle, Progress Software, Red Hat, Ricoh, SAP, SOA Software, Software AG, Sun Microsystems, Tibco Software, VeriSign, and other members of OASIS collaborated to develop WS-SecureConversation and WS-Trust.
"The support for this work has been tremendous," observed Patrick Gannon, president and CEO of OASIS. "Specifications that were initiated by a few vendors two years ago have evolved and benefited significantly by participation from the broader international community. Today, with 90 participants from more than 40 organizations, WS-SX represents one of the largest Committees at OASIS. This is an indication, not only of the breadth of input that has gone into these standards, but also of their ability to meet the needs of the marketplace."
Participation in the OASIS WS-SX Technical Committee remains open to all, and OASIS hosts the public ws-sx-dev mailing list for exchanging information on implementing the standard.
Support for WS-SecureConversation and WS-Trust OASIS Standards
"The standardization of WS-SecureConversation and WS-Trust is a key step towards enabling the development of secure SOA services which are highly efficient and scalable," said Hal Lockhart, Principal Engineering Technologist, BEA Systems.
"BMC has been a long time supporter of OASIS and its industry standardization efforts around Web services. The approval of WS-Trust and WS-Secure Conversation adds important pieces to the Web services standards puzzle which will enable customers to enjoy better interoperability between products and custom developed application and support their Service Oriented Architecture strategy. BMC looks forward to the adoption of the new standards and the role it will play in our customer's Business Service Management infrastructure," said Jeff Bohren, Identity Management Business Unit, BMC Software.
"The approval of the WS-Trust and WS-SecureConversation standards represents an important step in making cross-domain and cross-enterprise Web services more secure and interoperable. This secure interoperability is essential for enabling the kinds of Internet-based business relationships that many organizations are embracing," said Andy Rappaport, architect for identity and access management at CA.
"We are pleased to see WS-Trust and WS-SecureConversation become OASIS Standards. Customers have been asking for an industry standard framework that supports the requesting and issuing security tokens, brokering of trust relationships and providing secure messaging semantics that support multiple message exchanges between parties. In conjunction with the existing WS-Security standard, these new standards provide the necessary mechanisms to enable a number of secure Web services-based scenarios that our customers have told us they want to deploy. IBM already offers support for earlier drafts of WS-Trust and WS-SecureConversation in many of our WebSphere and Tivoli products, and these new OASIS Standards will be fully supported across the IBM software portfolio," said Karla Norsworthy, vice president, IBM Software Standards.
"Microsoft is pleased with the benefits that WS-SecureConversation 1.3 and WS-Trust 1.3 can offer the industry. Both standards can engage in secure communications while adding increased performance and security exchanges," said Chris Kurt, Group Product Manager of Connected Systems Division, Microsoft.
"Oracle is deeply committed to helping bring security standards to the market. The latest standards to come out of the OASIS WS-SX Technical Committee provide applications with a secure way to communicate with one another and strengthen the 'hot-pluggable' capabilities of Oracle's comprehensive family of identity management products," said Prateek Mishra, director, Security Standards, Oracle.
"SAP considers WS-SecureConversation and WS-Trust key components for an enterprise SOA, addressing important security scenarios that are a critical success factor for the development and integration of business applications. We are pleased to announce the support of these two security standards in the next release of SAP NetWeaver. With WS-SecureConversation and WS-Trust, we'll enhance our support to securely manage change which is a significant factor in our customer's success in adapting to increasingly dynamic business environments," said Michael Bechauf, Vice President Industry Standards, SAP.
"The approval of WS-Secure Conversation and WS-Trust as OASIS Standards represents a significant step in advancing Web service messaging security. As a charter member of the OASIS WS-Security Technical Committee, we are thrilled at the group's progress and look forward to future collaborations," said Donald Adams, Vice President, Chief Security Officer and Chief Technology Officer, TIBCO.
OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, international consortium that drives the development, convergence, and adoption of e-business standards. Members themselves set the OASIS technical agenda, using a lightweight, open process expressly designed to promote industry consensus and unite disparate efforts. The consortium produces open standards for Web services, security, e-business, and standardization efforts in the public sector and for application-specific markets. Founded in 1993, OASIS has more than 5,000 participants representing over 600 organizations and individual members in 100 countries. http://www.oasis-open.org
# # #