Let's be honest with ourselves. The introduction of new technologies is by default going to present new security challenges. That's because it's easier to get something to work than it is to get it to work in a secure fashion. Whether we want to admit it or not, this is because invention always follows the path of least resistance.
But engineers get better at building in security with every evolutionary step of technology. Consider how long it took to develop desktop operating systems that actually required passwords. Then consider how early in the Web browser's evolution it became possible to execute secured transactions using SSL.
Web services are the next frontier for many application developers, and security standards such as SAML (Security Assertion Markup Language) are gaining acceptance in the vendor community. This is occurring in part because of a widespread awareness -- at least among the people who actually get to deploy Web services-enabled applications -- that Web services will be dead on arrival without a level of security that inspires confidence.
So I'm not too worried about the prospect that the advancing tide of Web services is a security disaster in the making. If they're implemented without a thought about security, of course there will be trouble. I'm more concerned that budget and resource constraints will hinder the implementation of secured Web services.
I'm also worried about the platforms that will be hosting the Web-services-enabled applications; there's one platform in particular that gives me the heebie-jeebies. You guessed correctly if you imagined that Windows is what bothers me.
That's because Microsoft Corp. has gone too far in integrating its Web browser with the operating system. (Some might say that Windows is just a Web browser with an OS bolted underneath.) This is the reason we have to reboot our Windows servers once a week for the current crop of patches to take. In all the descriptions I've heard of the Web services environment, around-the-clock availability is treated as a given. But anyone running Windows knows that, at best, you're looking at 23 hours and 30 minutes on one or more days a week.
If your shop goes with Microsoft's .Net Framework for Web services, you're tying yourself to an OS that out of the box has more holes than Swiss cheese. Even though the next server version of Windows will be trumpeted as "the most secure ever," I'm going to start an over-under number representing my estimate of the number of Critical Updates that will be posted in the first 12 months after release of Windows .Net Server 2003, and whatever versions of Internet Information Services and Internet Explorer it ships with. I'm opening it at 30.
It's not that I'm anti-Microsoft -- I'm just being realistic; my number simply reflects the track records of Windows, IIS, and IE. I reckon most of you will put that number higher, but I'm going to lowball it, at least until I get the gold code in hand.