14.11 Futures

As work to secure Web services continues, we can also consider this an opportunity to evaluate Web Services offerings through the lens of risk assessment. No Web service is impenetrable to attack. Every offering of a Web service implies the notion of risk; whether on the Internet or on an intranet, there is always a risk when a Web service interface is externally exposed. The following questions arise.

• What is the scope of the exposure?

• How can the exposure be offset against the potential value of the service?

• Who is responsible for the enforcement of any countermeasures used to prevent the service interface from being exploited?

To be able to supply a complete Web Services environment in which risk assessment and policy enforcement are an integral component will depend on several initiatives continuing to evolve as de facto standards.

• Workflow needs to develop an integrated security model into its processing model.

• Some analysis will need to be done to see whether XML schemas can be used to formalize security models through the definition of security types.

• WSDL V1.2 needs to be extended to contain security attributes and, potentially , policy information as outlined in WS-Policy. Specifically, the area of specifying PKI policies will be important for interoperability in the more dynamic Web services that involve late binding.

• The emerging W3C and OASIS activities to define the processing rules and key-management services for XML applications must be well integrated with the other Web Services specifications.