Overcoming SOA Insecurity
Experts say defend on many fronts, audit continually, hold partners accountable
By Jennifer deJong
January 15, 2008 —
(Page 1 of 4)
Talk about insecurity.
SOA applications, more often than not, run over a wire that millions of people access every day.
They are likely to include services that originate outside company walls—and, as a result, can’t be completely reigned in.
To make matters worse, SOA apps are moving targets, made up of services that couple and decouple as needed, said Andrew Brown, director of product management for SOA governance tool maker AmberPoint. “How services are wired together today is not how they will be wired together tomorrow.” That adds up to one thing, he said: “When you deploy SOA, you are deploying a new form of insecurity.”
SOA makes the security challenge radically more complex, added Roger Thornton, co-founder and chief technology officer for application security tool maker Fortify. “When services connect, you have to ask: Are you really who you say you are? Is anyone eavesdropping? Intercepting the message? Changing it?”
Security outfits and other experts interviewed by SD Times said IT organizations should attack the SOA security problem on many fronts. They need to specify which components can talk to each other, at what times, and which rules (such as data encryption) govern that conversation. They also need to hold partners accountable for strong security measures, and ensure the integrity of the code itself, subjecting it to simulated attacks, and some source code analysis. Finally, architects and developers should design the SOA infrastructure and the services themselves with security in mind, keeping crucial data—such as credit card numbers—far from the vulnerable front line.
Here’s a list of best practices for accomplishing those goals.
Deal with identity management. Determine who is looking at what and what permissions have been applied, said Danny Allan, director of security research for security tool maker Watchfire, which IBM acquired in 2007. “That is front-of-mind for SOA security.” The key is managing the identities of the services as well as those of individuals. IT organizations are accustomed to authenticating and authorizing end users, but they are not as adept at applying those policies to machine-to-machine communication, said Adam Michelson, technical architect for Boston-based consultancy Optaros. “When you look at [a company’s] LDAP directory, there is a long list of end users, and only one [listing] for business-to-business communication,” he said, referring to Lightweight Directory Access Protocol, for querying and modifying directory services such as those used for authentication.
Share this link: http://sdt.bz/31652
Most Read Latest News Blog Resources
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists
|
|
ComponentOne Releases a Collection of 40+ UI Widgets Powered by HTML5 and jQuery
ComponentOne has announced the 2012 release of Wijmo: a kit of UI widgets for HTML5 and jQuery development
|
|
Zeichick’s Take: Looking for the best of the best of the best
It's time once again for readers to send in nominees for the SD Times 100
|
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists
|
|
Not so fast when it comes to testing in the cloud
Developers face outsourcing, virtual lab management and mobile devices as obstacles
|
|
Xceed releases UX-focused suite for Microsoft’s WPF
"Blendables" helps match user experiences to developer visions
|
Are you at risk for burnout?
Burnout is a severe problem and it can strike at any time. Here's how to tell if you are nearing the edge.
|
|
Agility, mom, and apple pie
If we're to evaluate the state-of-the-art in software development, we should start with the values espoused in the Agile Manifesto.
|
|
RIM woos developers with free tablet
How do you get more apps ported to the BlackBerry PlayBook? By giving every developer a free tablet, of course!
|
|
GitHire: Use Headhunters to Find Your Perfect Programmer
Are you a hiring manager tired of scouring the job boards? Check out this new service that will find 5 people interested in your jobs.
|
The Hidden Costs of Software Licensing
Moving beyond paper-based software licensing to more flexible, software-based licensing is a business decision. There is a growing trend tow...
|
|
Case Study: You May Need a Development Mechanic
As a contractor for a major financial player in Germany, SOBEGE, a German-based consultancy specializing in embedded IT and web services, wa...
|
|
Ensuring Software Quality at a Major International Bank
One of the world’s leading international banks has adopted AgitarOne technology for delivering generated unit tests for their Java software...
|
|
Load Testing Adobe Flex Applications
Adobe Flex applications may be different from applications you’ve worked with before. For classic HTML web applications, the server does all...
|
Related Articles
SOA Software releases project-planning suite for SOA transition
Portfolio Manager provides a framework for SOA planning, helping developers prioritize services, understand dependencies, and plan architecture and governance processes, the company says. The product is marketed as being essential for creating road maps for transitioning to SOA.
|
SOA’s dead; long live SOA
While software tool providers can no longer pin their products to the term, its best practices live on inside the cloud
|
SOA Watch: Best of times for SOA architects
Even though economic times are tough right now, organizations are increasingly looking for SOA architects. Businesses looking to hire SOA architects should look for certain traits so that they pick someone actually proficient in the technology.
|