Security tops every company’s list of priorities, but when it comes to the next generation of software systems based on XML Web services, the industry is still groping for direction. With various vendors and standards groups attacking the core problem from differing positions and interests, enterprises risk drowning in a sea of standards and interoperability issues. The root of the security blind spot in today’s software is more institutional than technical. Security has typically been a stand-alone practice, more focused on protecting the network perimeter than maintaining system security from the ground up. But with businesses looking to deploy apps outside their four walls, this security disconnect could spoil those efforts. The good news is that finally security appears to be getting its due. Standards groups are active: The World Wide Web Consortium (W3C) last week recommended its XML Signature specification and has encryption and key management on deck; the Organization for the Advancement of Structured Information Standards (OASIS) is close to releasing its XML-based SAML (Security Assertion Markup Language) specification for authentication. And vendors are bolstering protocols such as SOAP (Simple Object Access Protocol). Adding drama to this picture is the face-off between Microsoft, with its Passport user authentication system, and the Liberty Alliance, with Sun at the helm. Vendors are building cross-platform identity management systems, but out-of-the-box interoperability is still needed. As a preview to the RSA Conference 2002 this week, Brian Fonseca details efforts to secure Web services (see ” RSA: Securing Web services “). With any luck, this groundswell of activity will move Web services businesses integration forward. Security