They made IBM's DataPower XML Security Gateway XS40 their top choice in the application security category.

Further validating the hype over service-oriented architecture (SOA) and the standards-based XML applications around it, readers said the XS40 appliance did better than counterparts at detecting, reporting and preventing known and unknown attacks. It also scored well in integration with other security tools for remediation and reporting, and ease of installation, configuration and administration.

IBM, in 2005, acquired DataPower and its trio of products, which also includes an XML accelerator and an integration appliance. As with any SOA or Web services product, standardization is critical. In addition to the WS-* family of standards, the DataPower appliances support a new breed, including XACML, which is a standard for uniformly expressing fine-grained authentication and authorization rules. This is key with SOA applications, whose machine-to-machine interactions must properly exchange credentials to ensure a secure transaction. XACML enables companies to move authorization rules from one enforcement point to another.

"CISOs are looking at SOA in two ways--one, if the security piece isn't done right, this is a huge liability, exposing the back end to new threats and unauthorized access," says Eugene Kuznetsov, founder of DataPower. "The other part is, if you do this right, secure your security and compliance improves at the same time."

The DataPower appliance acts as an XML proxy that can parse and validate XML schema, encrypt XML message flows and verify digital signatures. Enterprises can use it as an enforcement point for XML and Web services interactions, providing not only encryption, but firewall filtering and digital signatures.

Some of the country's leading banks have deployed the appliance to process mortgage applications using XML or Web services, validating messages and making calls to authentication systems. It's also present in the Department of Defense for internal security between different tiers of applications and filtering messages between classified networks and applications.

"Customers are increasingly recognizing that to make applications scalable to make the business agile, you can't have security architecture teams go into every application, audit and modify it to make sure it's secure," Kuznetsov says. "There is a whole trend of figuring how to take the pieces out and move security to hardware or other tiers and abstracted out of applications."