Web services are supposed to help companies share data with partners at blazing speed by letting Web-based applications automatically exchange information with other Web applications. But first, IT managers such as Steve Devoti have to be convinced that Web services are safe.

Devoti, directory services manager for CUNA Mutual Group in Madison, Wis., says security concerns have kept the company, which provides financial services to credit unions, from extending Web services outside its network. "People are going to test Web services inside and see what vulnerabilities present themselves," Devoti says. "It's tough to say security concerns aren't justified when you have something so new."

That kind of caution makes sense. This year will bring at least one major IT security problem that exploits a Web-services vulnerability, predicts Gartner security analyst John Pescatore. "Now isn't the time to jump on the Web-services bandwagon," Pescatore says. "Just as with any new technology, it will take a while for companies to learn how to use Web services and for the industry to eliminate security problems."

CUNA is just starting to use Web services inside its network, Devoti says. When a credit-union customer accesses online account information through CUNA's systems, the individual credit union wants that branded with its own logo. Though CUNA uses Oblix Netpoint Web access management software to determine the identity of the incoming customer, it uses a Web-services messaging format, Simple Object Access Protocol, internally to make sure the correct credit-union brand and logo appears. With Web services, Netpoint lets the applications send customer information, including last name and credit-union affiliation, to Netpoint and the application can then use that information to customize its presentation to the user.

Getting to the next level of secure external XML transactions is complex. Transactions must be authenticated and remain confidential and intact, and the transactions have to be verifiable, so they can't be disavowed if there's a dispute. Mike McCormick, systems architect at Wells Fargo & Co. in San Francisco, says companies need to settle on standards such as SAML (Security Assertions Markup Language) used to exchange authentication and authorization information. He says that's likely to happen this summer, but vendors will need to incorporate the standards into software before companies can deploy Web services with partners.

But Pete Lindstrom, director of security strategies for Hurwitz Group, says the usual technology adoption cycle might move faster for Web services, since XML is so pliable that standards aren't as critical as for other security technologies, such as public key infrastructure.

The early days of Web services will largely provide efficiency for in-house application integration, particularly for linking legacy applications. Like Devoti, most managers want to work out bugs internally before they take the risk of connecting to business partners. Until that fear is overcome, the hoped-for revolution from Web services will have to wait.