Want CNET to notify you of price drops and the latest stories?

BEA jumps on security bandwagon

With the release of WebLogic Enterprise Security, the application server provider follows rivals in incorporating security products into its larger packages.

Martin LaMonica Former Staff writer, CNET News
Martin LaMonica is a senior writer covering green tech and cutting-edge technologies. He joined CNET in 2002 to cover enterprise IT and Web development and was previously executive editor of IT publication InfoWorld.
Martin LaMonica
3 min read
BEA Systems, a maker of Java-based server software, plans to enter the market for application security later this month, joining a growing cadre of large software providers that are making security a top priority.

On Monday, BEA introduced WebLogic Enterprise Security (WLES), a software package for enforcing employee or business partner access privileges to corporate applications. The initial product, which is set for delivery by the end of October, is based on security software that BEA gained through the acquisition of CrossLogix earlier this year.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

BEA's security push mirrors the moves of application server competitors that supply software to build and run corporate applications, such as Web sites and banking systems. Application server companies are building authorization capabilities, once the exclusive realm of security specialists, within their respective products.

IBM has been selling its WebSphere Java middleware with its Tivoli-branded security products to authorize a person's identity for some time, analysts note. Sun Microsystems already sells an "identity server" with its Java application server and Oracle is expected to outline its security plans next week. Microsoft, meanwhile, has labeled security as a top priority and has numerous initiatives, including its Trustworthy Computing initiative, to make software programs more secure.

"Everybody that is selling application platforms has found that people want this type of access management built in," said John Pescatore, an analyst at Gartner. "If you're selling against Oracle and IBM, this is an area that BEA had to fill in."

Companies can use the WLES system to control access to business applications that run on BEA's WebLogic Platform version 8.1, a suite of server software products, including a corporate portal, that are based on the Java 2 Enterprise Edition (J2EE) standard.

WLES will also include Java-based tools to allow a company to tie other applications into BEA's security system, including home-grown or packaged applications written with other programming languages. Follow-on versions of WLES, due next year, will work with IBM's competing WebSphere Java server suite as well as with applications written using Microsoft's .Net line of tools, said George Kassabgi, the general manager of application security infrastructure at BEA.

Most existing security products rely on a centralized server to authorize and authenticate a person's entry into a network. BEA's WLES, by contrast, has a distributed set-up built around a single server. It also has "security service modules"--small applications that reside on several servers on a network. Placing the software that tracks the security policies on several network nodes will allow users to get quicker access to applications, Kassabgi said.

WLES also allows administrators to secure specific software components within a large application. For example, a brokerage company could authorize a stock trader to execute only certain trades at certain times.

BEA said that its security software can work with a company's existing network directories and with security products--from companies such as Netegrity and Oblix--that authorize access to a corporate network or a Web site. Or, customers can choose to use all-BEA software for the authorization.

BEA could start competing with established security companies with its WLES initiative, particularly as it tries to sell the products to its existing customers, said analysts.

"You're seeing the beginnings of a competitive threat coming from big application development and deployment companies to some of the traditional security companies," Earl Perkins, an analyst at Meta Group, said.

Although traditional security companies such as VeriSign have more mature authorization products, BEA's distributed approach to security and its focus on application development and deployment sets it apart, Perkins said.

"What BEA is attempting to do is to formalize its approach to integrating security within the application for different platforms and different development environments," he said. "It's taking authorization and authentication to the next step."