Kelvin reports on a finding from Forrester (wow two Forrester links in teh same day), I don't have access to the whole report, but here is the summary
Current use of WS-Security doubled over the past two years: Now 30% of enterprises pursuing service-oriented architecture (SOA) use WS-Security as part of their SOA and Web services security strategy. Forrester believes that this gives WS-Security critical mass to sustain its place in the SOA landscape, especially considering that another 16% plan to adopt WS-Security. This also provides a foundation for adoption of other SOAP-based Web services security specifications. REST-based services still don't have standard profiles for interoperable security, which means that when security requirements are part of the picture, SOA architects should carefully consider where and how they use REST.
A couple of points on this, this number matches my overall experiences. I see a lot of SOA and Web services that start with weak or no security relying on SSL and a prayer. WS-Security, SAML and friends are often added in Phase 2 and Phase 3 so it speaks to the overall maturity. So that is some good news. Mark O'Neill had a good post recently on this as well.
Next, unfortunately saying you are using WS-Security doesn't mean all that much. As Brian Chess and I talked about in our RSA talk last year, the spec leaves ample room to shoot yourself in the foot at design time and that's even before you get to implementation. You can use weak token types, lack integrity, open up information disclosure, replay and a host of other vulns, all while still being WS-Security compliant, depending on the profile.
This is not necessarily a critique of WS-Security just putting some more specifics around what is allowable behavior. Our ask at RSA was to add more constraints and not leave so much up to the designer.
Finally, to the point on REST security, REST requires that you build your own message level security from scratch and implement it on both ends. Not impossible but you are reinventing the WS-Security wheel.
Comments