Reactivity and RSA Security have both leapt on the latest security spec with new products to protect Web apps - something they hope will encourage companies to invest in software-as-a-service projects.

Reactivity has taken an integrated hardware and software approach, while RSA has introduced its first pure Java product for securing Web services. Both are based on the recently-approved Web Services Security (WS-Security, or WSS) specification, which is considered a crucial building block for future standards.

Web services are a standardised way of integrating Web-enabled applications using the open XML, SOAP, WSDL and UDDI standards - XML for tagging the data, SOAP for transferring it, WSDL for describing services available and UDDI for listing the services available. The technology allows applications to exchange data directly, without the need to gather intimate knowledge of another company's internal network, and as such can potentially be a secure and efficient way for businesses to communicate with one another and with clients (see our feature here).

However, standards and products are only now emerging to give businesses full, standardised security for these transactions, with the approval of WS-Security 1.0 by the Organization for the Advancement of Structured Information Standards (OASIS) in April, and the introduction of standards-based systems from the likes of RSA and Reactivity. "WS-Security is essential for securing a Web services environment," said Burton Group analyst Jim Kobielus. "It is central to the core of standards everyone is implementing, including XML, SOAP and WSDL."

Reactivity's Secure Deployment System
So, Reactivity this week introduced the two final pieces of its Secure Deployment System, the Reactivity Manager and the Reactivity Gateway 2400 series (formerly Reactivity XML Firewall). These join the Gateway-D desktop appliance and Gatekeeper server-side plugin to form an integrated system, the company said.

Reactivity Manager is the first to provide "structured workflows for provisioning and rolling out secure Web services", according to the company. It includes what the company calls "one-click PKI", where security certificates and keys are done in one step.

Features such as this will allow Reactivity's suite to address more than just security and tackle broader issues in a company such as technical and organisational problems, said Reactivity chief executive and president Glenn Osaka.

The Gateway, meanwhile, sits in the network and acts as a destination for all Web services traffic, inspecting XML messages for security problems. It can detect attacks such as denial of service threats and take countermeasures.

The device includes version 4.0 of Reactivity's XML Operating System, hardware XML content processing from Tarari and nCipher's nForce 1600 hardware security module. This module is designed for scalable cryptographic acceleration and key storage. It can handle 1,600 new SSL connections per second, the company said.

RSA's BSafe SWS-J
RSA, meanwhile, has launched its BSafe Secure WS-J (SWS-J) encryption and digital signature software, which it said is one of the first commercially available Java systems to support WS-Security. The company said interoperability is key to the product - it can be used with any standard Java console and with WS-Security-based gateways.

The software decrypts incoming SOAP messages or XML data, verifies digital signatures and validates the message's authentication token, and can insert tokens into outgoing messages, the company said. It uses XML Encryption and XML Digital Signing in compliance with WS-Security 1.0, and use of the Java Cryptographic Extensions (JCE) architecture allows it to use any JCE provider.

RSA also announced partnerships with gateway providers including Reactivity and its competitors DataPower Technology, Forum Systems, Layer7 Technologies, Vordel and Westbridge Technology.

WSS in general
WS-Security 1.0 is a foundation specification, laying the groundwork for further Web services security infrastructure. It was originally submitted to OASIS two years ago by Microsoft, IBM and VeriSign, but other vendors - including Sun - later contributed to the standard.

It is already supported by a number of vendors, including BEA, Computer Associates, HP, IBM, Microsoft, Novell, SAP and Sun. It is just a beginning, however, intended to pave the way for future specifications such as WS-Policy for security policies, WS-Privacy for implementing privacy practices, and WS-Federation for connecting trusted identity relationships across different systems.

All the components to Reactivity's suite are available now, with pricing based on the particular configuration. RSA's BSafe SWS-J is available now in a pre-release version, with the final version planned for the third quarter.