My involvement in Web services was a mistake.

I don't mean that I regret it, just that I got involved in Web services because of a mistake I made. It actually started when I was preparing an executive presentation on the current trends in security. I came across one of those juicy statistics that security people (like me) love to use. It said a survey found that security was the number one obstacle to companies implementing "Web services." This is just the kind of direct correlation between security and the deployment of a valuable technology that tends to make people sit up and take notice. Unfortunately, this was prior to the time that Web services received the buzz that it has today, and I mistakenly assumed that "Web services" (the continuing confusion over how to capitalize it did not help then or now) meant services on the Web - e-commerce Web sites, transactional Web sites, and so on. Once I discovered my error (after giving the presentation a couple of times - luckily this statistic was not the centerpiece of the message), I dedicated myself to learning much more about security and this new thing called "Web services."

So, what's changed since then? Well, my company provided me with a research grant to learn about Web services security, and I wrote a lengthy report on the subject. I have spoken at conferences, presentations, and webinars, but I'm far from being able to say that I know all there is to know on the subject. Why? Because, like so much of the Web services universe, the security space is in an almost constant state of flux. There are competing standards, proprietary solutions, and almost as many opinions as there are "experts" on the topic. Gartner recently recommended that companies should go ahead with using proprietary security protocols in their Web services development rather than waiting indefinitely for the standards to sort themselves out and gain sufficient acceptance.

What hasn't changed? Security remains the number one concern in developing and deploying Web services. I have to say that this is pretty comforting for someone who often has to fight to get people to pay attention to security as an important factor in systems development. Yet, although I would like to see security remain a prime focus when considering Web services, I see the need for this aspect to become easier. Gartner has stated that companies should be prepared to spend 50% of their Web services budget on security and, unfortunately, my experience has shown this to be true. My deep fear is that unless security in Web services can be made more transparent (and less expensive), the concerns over risk and the desire to do the right thing will give way to other priorities, like speed to market and lower cost, leaving security "undone."

Unfortunately, another thing that has not really changed is that many people are still not quite sure what Web services are. I continue to encounter a lot of confusion, very much along the lines of the confusion I had when I first started my journey into the world of Web services. This may slow adoption somewhat, but I think that ultimately the value of Web services will win over the uninitiated - like it did for me.

I was honored to be invited to become the security editor for Web Services Journal. This month's issue is a recognition of security's role. My goal will be to keep the focus on security as a key component of Web services all year long. I'll be sharing my own thoughts from time to time, and I want to encourage those who have new ideas or creative thoughts that they would like to share around Web services security to look at using this forum to get the word out. It will take new ideas to turn security from an obstacle into something that enables Web services to take us as far as they can. I look forward to the journey.