A lack of common standards for security and interoperability for Web services is likely to remain a problem for several years to come, according to some industry commentators. Web services is a term used to describe the linking of information systems and business processes through Web-based protocols.

The lack of standards causes particular problems for integrating legacy applications with Web-based applications and services, according to Mike Gilbert, product director of Cobol tools supplier Micro Focus. To illustrate his point, Gilbert described the difficulties he faced when he recently tried to place an order online and in the middle of the process his PC crashed.

"I was left not knowing whether the transaction had completed or not," said Gilbert. "There was no email feedback, but that is not always part of the system design anyway, and emails are not secure; they are easily intercepted and 10 percent never arrive anyway. When I telephoned to make an enquiry, I found the sales office was not geared up to answer the query. Back in the old days, sales offices at least knew how to obtain such information - though they may not have been all that fast."

John Noakes of Microsoft's dot-Net Developer Group pointed out that there are a growing number of standards for Web services, but better security is still needed. This is where the work of the Web Services Interoperability Organisation (WS-I) may be important.

The WS-I is backed by major IT suppliers including Microsoft, IBM, BEA Systems and Sun Microsystems, as well as smaller vendors. It is currently developing open standards for Web services to promote interoperability across platforms, operating systems and programming languages.

In the long term, the WS-I promises to provide standardised protocols and tools to help companies conduct secure business transactions, possibly solving the problems highlighted by Gilbert.

The WS-I has already published drafts of version 1.0 of the Basic Profile - a set of core standards for interoperable Web services. The final documents are due for publication in the second quarter. However, the publication of the final Basic Profile 1.0 will not provide a complete solution, according to Mike Thompson of analyst firm the Butler Group. He predicted that a full set of standards is still several years away.

"I think that WS-I is probably the best hope," said Thompson. "But for now, companies will be implementing what are, in effect, proprietary standards that carry the risk of future lock-in. I don't believe there is anything that has the level of security needed to manage transactions securely in Web services. There is certainly no set of services that are implementable now."

Thompson believes that full standards will not arrive for a long time. "There is growing recognition of a timescale before secure Web services are available for external use, and the consensus is around five years. Until then, Web services will only be used internally by [most] enterprises," he said.

Thompson predicted that Web services will therefore develop in two stages. "Once Web services are exposed internally, enterprises will be able to develop applications and services that will be ready for external use [when full standards appear]. All that will be needed is to bolt on the security services, and the applications and services will be immediately ready to be externalised," said Thompson.

Have your say: reply to IT Week