Companies should take the proprietary route to provide security for web services-based transactions over the next three years, according to analysts.

In a research paper, Security Pattern Standards Face a Long Road to Maturity, analyst Gartner advises firms to rely on vendor-provided technology to provide security for web services-based transactions until 2006, even though it may not comply with standards.

Although there are no products as such, major vendors sell application development packages, such as Microsoft's Visual Studio .Net, which have the facility to build security into web services.

The Gartner report argues that web services security is immature and that complex, multi-party web services will require newer, more versatile security patterns for electronic transactions.

By using XML, Simple Object Access Protocol and Web Services Description Language, WS-Security related specifications are designed to be used together to provide a rich, secure web services environment.

But Gartner warns that the key security specification, WS-Security, which protects the confidentiality of a message and is backed by the Organisation for the Advancement of Structured Information Standards, will not provide a complete security solution for complex web services, where transactions cross organisational boundaries.

"WS-Security establishes a model that brings together formerly incompatible security technologies, such as public key infrastructure, XML Digital Signature and XML Encryption," said the report's author, Jess Thompson.

"Although WS-Security is the security cornerstone, it is only the beginning and must be extended with additional specifications that deal with policy, trust and privacy issues."

Mike Thompson, principal research analyst for the Butler Group, agreed with the Gartner view, but said standards will take 18 months, rather than three years, to mature.

He told vnunet.com that "in the first flush of enthusiasm" Butler had told firms not to take the proprietary route. But with security standards not expected to be agreed within the next 18 months, the analyst firm's view had changed.

"Now we are advising to go for the vendor approach as companies can't wait that long, but to get assurances that there will be some interoperability with open standards," he said.

Marc Chanliau, director of XML technologies at security firm Netegrity, said: "Why rely on vendor-provided technology that may not comply with standards to provide security if there are enough standards widely embraced by the industry?"

But Gartner's Thompson countered: "Although there are standards to secure the message, there are no mature standards for the security of the interfaces when different components talk to each other."

Gartner advises businesses to investigate the use of WS specifications when they are embarking on a strategic direction, to expose functionality to a large number of business partners as web services.

Also, if they are implementing complex, multi-party web services, they must have the IT expertise to implement the appropriate security, and work with trading partners capable of using the same security technologies.

To implement security today, Gartner recommends that companies implement simple point-to-point web services that can be secured using mature technologies like secure sockets layer and digital certificates.

It added that they should expose those web services to only a small number trading partners and consider making large groups of transactions using proven, secure batch technologies.