Friday, April 06, 2007

How SOA Increases your Security Risk

Bret Latamore published an interesting piece in ComputerWorld on how SOA increases your security risk. The article emphasized what I can compress as follows: Flexibility is the enemy of Security.

Anytime one works towards an open, standards-based architecture to integrate internal and external systems, people and processes, the vulnerability target for attack vectors increases quadratically with the number of nodes that are "open."

The article highlights one of the most important aspects of SOA deployment: Identity Management. With chained web services where a web services may call a number of downstream web services, identity must be carried as a part of the content within the SOAP/XML message as a SAML assertions. Within such environments, each SAML assertions validity at every node has to be established. SOA Testing such environments with Identity requirements across chained web services is complex and requires specialized SOA Testing products.

Another important point highlighted in this piece is that legitimate XML traffic within SOA deployments may inadvertently carry malware that originated upstream, but because of the chained and interdependent nature of web services, this malware now gets to a place where it never got to before in siloed environments. Such malware propagation within SOA can be prevented by infrastructure from Crossbeam and Forum Systems.

For complete article, see "How SOA Increases your Security Risk"

No comments: