Overcoming SOA Insecurity
Experts say defend on many fronts, audit continually, hold partners accountable
By Jennifer deJong
January 15, 2008 —
(Page 1 of 4)
Talk about insecurity.
SOA applications, more often than not, run over a wire that millions of people access every day.
They are likely to include services that originate outside company walls—and, as a result, can’t be completely reigned in.
To make matters worse, SOA apps are moving targets, made up of services that couple and decouple as needed, said Andrew Brown, director of product management for SOA governance tool maker AmberPoint. “How services are wired together today is not how they will be wired together tomorrow.” That adds up to one thing, he said: “When you deploy SOA, you are deploying a new form of insecurity.”
SOA makes the security challenge radically more complex, added Roger Thornton, co-founder and chief technology officer for application security tool maker Fortify. “When services connect, you have to ask: Are you really who you say you are? Is anyone eavesdropping? Intercepting the message? Changing it?”
Security outfits and other experts interviewed by SD Times said IT organizations should attack the SOA security problem on many fronts. They need to specify which components can talk to each other, at what times, and which rules (such as data encryption) govern that conversation. They also need to hold partners accountable for strong security measures, and ensure the integrity of the code itself, subjecting it to simulated attacks, and some source code analysis. Finally, architects and developers should design the SOA infrastructure and the services themselves with security in mind, keeping crucial data—such as credit card numbers—far from the vulnerable front line.
Here’s a list of best practices for accomplishing those goals.
Deal with identity management. Determine who is looking at what and what permissions have been applied, said Danny Allan, director of security research for security tool maker Watchfire, which IBM acquired in 2007. “That is front-of-mind for SOA security.” The key is managing the identities of the services as well as those of individuals. IT organizations are accustomed to authenticating and authorizing end users, but they are not as adept at applying those policies to machine-to-machine communication, said Adam Michelson, technical architect for Boston-based consultancy Optaros. “When you look at [a company’s] LDAP directory, there is a long list of end users, and only one [listing] for business-to-business communication,” he said, referring to Lightweight Directory Access Protocol, for querying and modifying directory services such as those used for authentication.
Share this link: http://sdt.bz/31652
Most Read Latest News Blog Resources
Magic announces the release of its revolutionary mobile offering for the development of business applications, with new native clients for iOS and Android platforms
Magic announced today the availability of native iOS and Android clients for its mobile enterprise application platform
|
|
Virtualization: Not just for machines anymore
Network virtualization allows multi-tiered applications to behave as though they were in a physical network
|
|
Achievements and learning: Gamification comes to businesses and schools
Startup takes page from gamers by offering achievement marks to get developers more engaged in their projects
|
|
Zeichick’s Take: The handheld and the tablet, circa 1976
Texas Instruments' and Hewlett-Packard's calculators were doing things decades ago we take for granted today
|
Virtualization: Not just for machines anymore
Network virtualization allows multi-tiered applications to behave as though they were in a physical network
|
|
Achievements and learning: Gamification comes to businesses and schools
Startup takes page from gamers by offering achievement marks to get developers more engaged in their projects
|
|
Google talks tools at AnDevCon III
New 3D debugging tool and recent ADK changes are detailed by Google developers at the third Android Developer Conference
|
|
SmartBear rolls out new quality solution: API Complete
Software gives organizations ability to write test scripts and monitor APIs by bridging the DevOps divide
|
Creation
To write better software, cultivate your ability to be creative.
|
|
Slick...but who needs it?
compilr.com is a well-designed site and the folks behind it seem to have their heart in the right place. But...who needs it?
|
|
How to be a better software developer
Want to be a better developer? You won't get there by mastering an interesting language or learning a new set of APIs.
|
|
Wooing Galatea
Do yourself a favor and check out Galatea 2.2, a wonderful book by novelist Richard Powers.
|
Five SCM Best Practices
Two-thirds of all software projects fail, according to the Standish Group’s CHAOS study. Improper usage of software configuration management...
|
|
|
Best Practices for Branching and Merging Patterns
Development teams often create a branching pattern, usually drawn out on a white board or in a Visio document, that is used as a model to...
|
|
Automated Error Reporting
We invite you to read a short e-zine that tells you all about automated error reporting for .NET applications. This 8-page e-zine is packed...
|
|
The End of Application Redeploys
Imagine that every time you wanted to write, send or receive an email, you needed to restart your computer. How much time would this take, a...
|