12.11. Future Directions
Although WS-Security defines an interoperable syntax and a set of processing rules for exchanging security information and protecting messages, applying them randomly might not make systems secure. One must consider all the relevant aspects of security and balance them against their cost. The use of username tokens makes perfect sense in one environment, but it does not provide any security in other environments. Because flexibility was more important in the design of WS-Security, many options might lead to insecure implementations. As the industry learns more about the real world security requirements of Web services, best practices or patterns for using WS-Security securely will gradually emerge. |