The security enhancements in WSE 2.0 are very welcome

Last issue, I mentioned the new version of Microsoft’s Internet Security and Acceleration (ISA) Server and spoke about the emphasis on security issues vs. user-friendliness in the new and improved features of the upcoming 2004 release.

Right after writing that, I came across some collateral information about Version 2 of Microsoft’s Web Services Extensions, which was released last week. This is a developers’ package, designed to make writing Web services-based tools and applications easier to do in a .Net environment. In the Microsoft article, which is about a project at the Ohio State University Medical Center, I came across this quote, attributed to project team lead Professor Farrukh Khan:

“We saved a great deal of time using WSE 2.0 because it allowed our team to zero in on the solution’s business logic instead of focusing the majority of our development efforts on security. To give you a sense of this, we had previously created a Web services solution without the benefit of WSE, which required us to spend about 80% of the development time writing security related code. It took us two years to build the security system for that project. With WSE 2.0, we could have completed the security system in four months. Using Microsoft .Net and WSE 2.0 we spent only 2% to 4% of the development time creating security-related code.”

Now last issue, I warned that “saving time” in installing ISA server shouldn’t be a consideration – take as much time as you need to get it right. And I’m not contradicting that here because Professor Khan isn’t marveling at how quick setting up security with WSE is, but at how well integrated security is to the product. Rather than spend 80% of the development team’s time on security, they can now spend over 90% of their time on the business case. That should mean services and applications that better reflect what the users want to do.

The security enhancements in WSE are welcome, very welcome but don’t confuse my enthusiasm with abject acceptance. You and your development team should still examine the default settings and actions. You should tweak and configure the security until it does the job you want it to do. But WSE 2.0 makes that job easier.

It’s all just one more indication that Microsoft has finally committed to improving security first – just as Bill Gates promised it would do when he unleashed the Trustworthy Computing Initiative. Microsoft may be late to the party, but it is bringing along the goodies that we all had hoped to see and for that it deserves some applause. Bravo!