Re: [service-orientated-architecture] Greenfield on Adolescent WS
As Anil indicated, security should not be implemented just using a framework. An organization should implement a comprehensive security infrastructure, which comprises frameworks, mediation systems, shared services, and policy-oriented management and control. (I recommend using a combination of XML gateways and a SOA management system. I don't recommend using the built-in WSS frameworks in web services platforms.)
An organization should provide training to all folks involved on how to effectively use the security infrastructure, and it should institute governance processes to ensure that security is properly implemented and configured in every application or service before it is promoted to production. I also agree with Andrew that security must be considered at every step in the SDLC -- starting at the requirements stage.
If you leave security to the whim of the developer, then security is going to be a significant challenge. But security for web services is no more difficult than security for any distributed computing environment. In fact, it might be easier, because products like XML gateways and SOA management can simplify and externalize most of the effort. They even make it relatively simple to integrate with legacy systems that implement proprietary authN and authZ schemes.
> Until everyone considers security at every step of delivering software, > security will remain an issue, and the only way it won't be hard anymore > is the same way riding a bicycle isn't hard after you've been doing it
> for a few years. I don't think we're there yet, and that's why I made > the comment I did earlier. >
+1
Security is notoriously application/service/platform specific and doesn't respond well to the framework/standardization approach so often
applied.
Note that many services have their own internal authorization models (custom permissions etc) which can also be difficult to implement appropriately.
Sure a framework can get you a certain minimum level of security but, if
you need serious security, this won't cut it. You'll need go through the entire stack, hardware up and that requires some smart people with big knowledge.
Cheers,
Dan.
------------------------ Yahoo! Groups Sponsor --------------------~-->
Protect your PC from spy ware with award winning anti spy technology. It's free. http://us.click.yahoo.com/97bhrC/LGxNAA/yQLSAA/NhFolB/TM --------------------------------------------------------------------~->
<<Paralleling the rise of SOAs has been the rise of Web services, those software constructs that use the Web Services Description Language (WSDL) and the...
It is getting dangerous for journalists to write articles on SOA now. If I quote them here, it is like chucking a lump of meat in a piranha pool. Keep up the...
... This is great! Stop the presses! The SemWeb folks can all go home, because XML parsers are natural language parsers. Who needs semantics and inferencing...
... Hm, you are talking about next level of policy-based security ecosystem. But securing web services is possible today and it's nothing hard. At least, not ...
Hi Radovan, ... It's that "not much harder than any other application available via network" part I was referring to. You're right, the specs are there and it...
Andrew S. Townley wrote: [snip] ... +1 Security is notoriously application/service/platform specific and doesn't respond well to the framework/standardization...
As Anil indicated, security should not be implemented just using a framework. An organization should implement a comprehensive security infrastructure, which...
... But before doing any of that, they should be doing threat analysis to determine just what kind of security they need and where which will then drive what...
... I agree. I mean, I think I disagree that XML gateways move "most of the effort" out of the business logic per se, neither does it become "relatively...
... Implementation of a solid SOA Security Infrastructure is dependent on many things that Enterprises have put into place before SOA came along, such as ...
... And so I think we are in agreement. A "gateway" can translate, wrap, unwrap, and route. But there is a boatload of things that gateways cannot do. What? Do...
I'm an analyst. I sell research, not software products. (Intel, on the other hand does sell a gateway.) I agree that XML gateways can't do everything, but I...
... Yes, the Sarvega products. They are pretty good, from what I've seen of them, as far as they go. ... I think we are in basic agreement on these points. But...
... Not disagreeing with you on this point. But there are a boatload of things that they do well as well. ... No. I am an implementer who neck deep in...
Funny you should mention this, because on Tuesday after this started, I got to thinking about this very topic. It took me longer than I expected (real work...
... I've turned it into a news item: http://www.infoq.com/news/Are-XML- Gateways-The-Answer Which gives me a good chance to plug "InfoQ" ;-) Find out more...
In response to my post yesterday on implementing a comprehensive security ... Before attempting to do a threat analysis of an individual service or ...
... So what about the path between the XML-SG and your application. How do you secure that and the involved network? How do you limit what administrators can...
... An option to consider for that would be 2-Way SSL for data in transit protection and machine-to-machine authentication. ... By making sure that processes...
... Yes, that can work as long as you avoid man in the middle attacks... ... That's probably okay for the mom-and-pop web shop, but what about billing or other...
Gregg, ... The point of 2-Way SSL is not just protection of data in transit, but strong mutual authenticaion (at the machine level), which is one of the ways...
... People with the knowledge of being in that environment have extra opportunities to be the man in the middle. Mutual authentication with SSL implies that...
... Gregg, of your perspective on that subject, I am very aware :-) ... Never mind... Bit slow to catch up, but I figured out that you meant to shorten "XML...
... Agreed.. Developing a threat model that identifies vulnerabilities so that you can come up with countermeasures that mitigate them is critically important...
... The other day, I made my linux box secure in about 20 seconds. That's pretty fast I think. I just typed "shutdown -h now" and hit return :-) Seriously, ...
Having problems with message search?
Offline 
Send Email