Firms release latest security products for web services

Reactivity and RSA Security have launched new products to protect web apps - something they hope will encourage companies to...

Reactivity and RSA Security have launched new products to protect web apps - something they hope will encourage companies to invest in software-as-a-service projects.

Reactivity has taken an integrated hardware and software approach, while RSA has introduced its first pure Java product for securing web services. Both are based on the recently-approved Web Services Security (WS-Security, or WSS) specification, which is considered a crucial building block for future standards.

Reactivity's two final pieces of its Secure Deployment System, the Reactivity Manager and the Reactivity Gateway 2400 series (formerly Reactivity XML Firewall) join the Gateway-D desktop appliance and Gatekeeper server-side plug-in to form an integrated system.

Reactivity Manager is the first to provide "structured workflows for provisioning and rolling out secure web services", according to the company. It includes what the company calls "one-click PKI", where security certificates and keys are done in one step.

Features such as this will allow Reactivity's suite to address more than just security and tackle broader issues in a company such as technical and organisational problems, said Reactivity chief executive and president Glenn Osaka.

The Gateway, meanwhile, sits in the network and acts as a destination for all web services traffic, inspecting XML messages for security problems. It can detect attacks such as denial-of-service threats and take countermeasures.

The device includes version 4.0 of Reactivity's XML Operating System, hardware XML content processing from Tarari and nCipher's nForce 1600 hardware security module. This module is designed for scalable cryptographic acceleration and key storage. It can handle 1,600 new SSL connections per second the company said.

RSA, meanwhile, has launched its BSafe Secure WS-J (SWS-J) encryption and digital signature software, which it said is one of the first commercially available Java systems to support WS-Security. The company said interoperability is key to the product - it can be used with any standard Java console and with WS-Security-based gateways.

The software decrypts incoming Soap messages or XML data, verifies digital signatures and validates the message's authentication token, and can insert tokens into outgoing messages.

It uses XML Encryption and XML Digital Signing in compliance with WS-Security 1.0, and use of the Java Cryptographic Extensions (JCE) architecture allows it to use any JCE provider.

RSA also announced partnerships with gateway providers including Reactivity and its competitors DataPower Technology, Forum Systems, Layer7 Technologies, Vordel and Westbridge Technology.

WS-Security 1.0 is a foundation specification, laying the groundwork for further web services security infrastructure. It was originally submitted to Oasis two years ago by Microsoft, IBM and VeriSign, but other suppliers - including Sun Microsystems - later contributed to the standard.

It is already supported by BEA Systems, Computer Associates International, Hewlett-Packard, IBM, Microsoft, Novell, SAP and Sun.

It is intended to pave the way for future specifications such as WS-Policy for security policies, WS-Privacy for implementing privacy practices, and WS-Federation for connecting trusted identity relationships across different systems.

All the components to Reactivity's suite are available now, with pricing based on the particular configuration. RSA's BSafe SWS-J is available now in a prerelease version, with the final version planned for the third quarter.

Matthew Broersma writes for

Read more on IT strategy