Monday, December 28, 2009

MIT Techology Review covers "Swamp Computing" a.k.a. Cloud Computing

XML/SOA Testing of XML Security Policies (XML Encryption, XML Signatures) will become the centerpiece of Cloud-based deployments that are multi-tenant in nature and can inadvertently expose corporate information.

MIT Technology Review published an interesting article sumarized under MIT Technolgy Review covers "Swamp Computing"

Tuesday, December 22, 2009

Reducing the Complexity of Application Security

Integration is the Enemy of Security and so is Flexibility - an attribute that is essential for organizations to survive.  A corporation that cannot service its customers and suppliers, establish long sticky relationships with them and build an infrastruture that enables rapid addition of both suppliers, buyers and partners for information exchange will perish and get demolished by a nimble and flexible competitor whose infrastructure has integration capabilities for rapid information exchange.

Mike Vizard from CTOEdge talks about the business drivers that compel companies to integrate yet face security challenges that hamper integration efforts: Reducing the Complexity of Application Security

Here's a snippet from Mike's article:
"As business-to-business interactions over the Web become more pervasive, so too does the complexity associated with securing those transactions.
Unfortunately, all that complexity serves only to dissuade businesses from integrating business processes across the Web at a time when we want to encourage that behavior. So the challenge facing chief technologists is to find a way to make it simpler to integrate business processes without having to introduce complex layers of security."
Key components that help reduce (and improve) application security include:
  1. Strong SOA Governance Enforecement, Monitoring and Security through XML Gateway such as Forum Sentry.
  2. Portal and Web services Authentication and Authorization decisions through Secure Token Services such as Forum Sentry STS - Identity Broker.
  3. Application Security Testing and Simulation through products such as SOAPSonar and SOAPSimulator for Identity, Privacy, Integrity and Penetration Testing.

Thursday, December 17, 2009

Software Magazine: Crosscheck Networks SOAPSimulator adds JMS support

Service Simulation is and essential component for end-to-end SOA Testing.  Software Magazine recently published an article on SOAPSimulator, the only stand-alone service simulation product in the market for simulating Web services, XML, REST and SOAP.

A new version of SOAPSimulator from Crosscheck Networks, the company focused on products supporting reliable Web services, adds the ability to test large attachments via IBM MQ, Tibco EMS, WebLogic JMS and native Java Messaging Services adapters...read more>

Tuesday, December 15, 2009

SOAPSonar - QTP Job Posting

The maturity of a market and a product can be judged by the related job postings. Much has been written and talked about SOA Testing, however, this data point -- A job posting looking for a Testing and Automation Professional -- validates three key trends:

  1. The number of QA Professionals focusing on SOA Testing within an enterprise has hit a point where having SOA Test Tools, such as SOAPSonar from Crosscheck Networks, alone is not sufficient. A centralized defect tracking and test cases management infrastructure such as HP Quality Center is necessary for efficient collaboration. Incidentally, SOAPSonar is HP EMAP certified with deep integration with QC v10. For details on their integration see SOAPSonar EMAP Certification.
  2. SOA Testing Skill sets are far along the comoditization trajectory with job positions not just in the US but offshore as well. This particular job posting is in Banglore, India.
  3. SOA Testing requires complex skill sets including XML, SOAP, REST, WSDL, Database, Java, Message Queues, Automation Scripting, as well as fundamental Testing Techniques such as Black Box, White Box and Grey Box testing. The skill requirements will trend towards greater complexity as more IT assets are exposed using Web services and integrated with the SOA fabric.
SOA Testing Professionals will evolve as into high skilled individuals with diverse skills that touch almost all IT assets from networking to applications within and across enterprise boundaries. UI, Database and Application Testers will have to expand beyond their domains to keep up with the demands of SOA Testing.

Monday, December 14, 2009

Gartner AADI SOA Testing Sessions

It was exciting to see the extent of interest and coverage on SOA Testing at the Gartner Application Architecture, Development and Integration (AADI) event in Las Vegas last week (December 7-9th). SOA Testing has become an integral part of Enterprise Application Life cycle Management and Thomas Murphy, Research Director at Gartner did a great job in covering the core aspects of SOA Testing at the show is the following session:

SOA Testing: Confronting the Nightmare of Testing Shared Services: The Key Issues that were covered included:

  • How will application testing and quality be affected by the shift to SOA and Web 2.0 technologies?
  • What metrics will be effective at driving improvement and assessing the efforts of those collaboratively performing the development and testing of software services?
  • Which tools will provide the best productivity and understanding of software quality and testing for the current and future SOA applications and platforms?

For more details about the SOA Testing Sessions at Gartner, click here.

Thursday, December 10, 2009

SOA Appliance for Cloud Computing

Building a robust SOA is a pre-requisite to cloud computing. Without solid provisions for SOA Testing, SOA Governance, and Federated SOA, large enterprises will unlikely embark on cloud computing initiatives that truly span Infrastructure as a Service (IaaS), Platform as a Services (PaaS), or Software as Service (SaaS).

The article below shows one of the core building blocks required for an enterprise SOA deployments - Identity Management and Enforcement. Forum Systems has recently announced Forum STS - a SOA Appliance that enables Cloud computing by managing identities within and across SOA domains. For more details, see article published by Liz McMillan:
SOA Appliance for Cloud Computing
— Web services-based Service Oriented Architectures (SOA) enable communication via ubiquitous standards such as XML and SOAP. To foster efficient, effective message exchange and satisfy increasing user demands for real-time, aggregated information from internal and external business partners, trust must be established among all entities. Comprehensive mediation, authentication, and authorization of identity exchange among customer and partner portals, Web applications, and XML-based Web services provide the business with a simplified, coherent model for identity management and build the pillars of Federated SOA.

Friday, November 13, 2009

SOA Testing in a Federated SOA environment

According to Massimo Pezzini, VP and Gartner Fellow, "Federated SOA is a systematic approach to large-scale, enterprise wide SOA that enables organizations to integrate semi-independent SOA initiatives. Often used to fix an initial lack of coordination, federated SOA should be proactively pursued from the inception of major, strategic SOA initiatives." -- Divide and Conquer: Taming Complexity Through Federated SOA.

The technology implication of Federated SOA has pushed towards a convergence of XML/Web services with HTML/Portal technologies. This has a significant impact on industry expectations on SOA Testing Tools, B2B Gateways, Application Servers and XML Gateways. For example, the latest announcement by Forum Systems, the leader in XML Gateway technology, indicates a move towards Federated SOA. See:


Continuing to set the benchmark for securing Web services, key new capabilities available via Forum Sentry include:
  • HTML Portal Virtualization – Deployed in a “proxy” setting, Forum Sentry removes the identity and security burden from Web sites and portals. Leveraging Single Sign On (SSO) functionality across existing infrastructures, Forum Sentry’s non-intrusive, agent-less design accelerates security and identity on a dedicated device – without requiring code changes to back-end Web applications and services, or additional capital expenditure costs.
  • Central Cookie and SAML Processing – Forum Sentry authenticates and authorizes both portal- and Web services-related identity tokens – the cornerstones of Federated SOA. Credentials are shared – regardless of where the services reside – throughout the entire transaction, producing an enhanced, seamless user experience without compromising security.
  • Federated Two-Factor Authentication – Promoting greater security, Forum Sentry requires two pieces of information for identity verification of internal and external partners. It removes the complexities so often associated with token sharing across portals and Web services, while still enforcing the highest levels of authentication and authorization.
  • Protocol/Document Attribute Mapping – Promoting greater ease of use, HTTP/HTML header information can be mapped into messages and documents. User information from HTTP can be transferred into a SOAP or XML message for usage elsewhere in the network – independent of protocol – enabling SOA Federation across both XML and HTML traffic.
The impact of transactional components such as Forum Sentry towards Federated SOA means that testing, monitoring and diagnostic tools now need to converge towards handling not just XML/WS traffic, but also provide the ability to test the HTTP stack as well. This is a natural fit for XML/SOA Testing vendors such as Crosscheck Networks since their core focus has been deeper in the packets in parsing and manipulating complex XML data. Floating up from the deep packet manipulation to the shallow HTTP header testing and manipulation is a simpler task that SOA testing products such as SOAPSonar are very capable of handling.

Monday, November 02, 2009

Federated SOA essential aspects: SOA Testing, SOA Identity and SOA Security

Here is an interesting article by Rob Barry titled: "In SOA, cloud resources may exacerbate security and file transfers issues." It highlights significant requirements for Federated SOA especially around large file transfer using Web services attachments. The article makes the following interesting points:


  • Attachment sizes are increasing driven by cloud computing such as transferring large files to Amazon S3 or a companies internal cloud.
  • MTOM and MIME are used now for real time file transfer over web services instead of FTP or classic MFT protocols.
  • Identity is critical to Federated SOA.
Standards such as MIME and MTOM are now being heavily deployed. For a deeper understanding regarding how MTOM works, see "Intro to MTOM."



Thursday, October 22, 2009

Techniques in Attacking and Defending SOA-XML-Web Services

At OWASP AppSec, Washington, DC, Crosscheck Networks will present a session titled, “Techniques in Attacking and Defending XML/Web Services.” This session will examine the strategies in identifying new attack vectors and classifying security threats, including SQL Injection, Denial of Service (DoS) and XSD Mutation. Additionally, the Crosscheck Networks senior executives will offer countermeasure best practices to mitigate the risk of, and exposure to, those identified XML security threats.
To register, click here.

Wednesday, August 05, 2009

Undertanding XML Gateways

The Washington Post published an interesting article highlighting security vulnerabilities in XML. The article titled XML Flaws are pervasive reinforces the need for XML Gateways such as Forum Sentry as a line of defense beyond what is provided by classic IP firewalls.

Also, for pre-production or post-production XML/SOAP-based services, using SOA Testing products such as Crosscheck Networks SOAPSonar provides extensive Security Testing to identity XML-related flaws. Once identified, the remediation strategy can involve:

  • code-refactoring that can have a serious cost and production up-time impact
  • deploying XML Gateways with general a application specific XML protection policies

Time and cost savings aside, using XML Gateways to protect XML Flaws, as highlighted by the Washington Post article, has a significant architectural advantage of decoupling application business logic from application security.

Tuesday, July 21, 2009

SOAPSonar vs. SOAPUI

Here's an interesting article that talks about SOAPSonar vs. SOAPUI.

SOAPUI vs. SOAPSonar

SOAPSonar has been dominant in the SOA Testing space and is the only product that provides comprehensive SOA Testing across Functional, Performance, Interoperability and Security domains. Crosscheck Networks, the provider of SOAPSonar, recently acquired Forum Systems. With this acquisition, Crosscheck Networks now provides a wide array of integrated product offerings that comprehensively covers services life cycle across building, testing and securing SOA deployments.


Here's another article that highlights why a testing tool that is commercially built is better suited for SOA Testing: Limits of Open source SOA Testing tools.

Monday, July 06, 2009

How-to test SAML tokens

SAML tokens are often used with XML and SOAP messages for identity related functions. Typically an XML Gateway, such as Forum Sentry, or an application server such as SAP Application Server consume or generate SAML artifacts for Authentication and Authorization or carrying Attribute information from the sender.

For testing SOA deployments that use SAML tokens, SOAPSonar from Crosscheck Networks provides all the provisions required to dynamically construct and send SAML tokens within a web services invocation. The configuration screen for the SAML tokens that supports both SAML 1.1 and SAML 2.0 provides the flexibility to set:
  1. Issuer

  2. Name Identifier (emailAddress, unspecified, entity, kerberos, persistent, transient, unspecified, X509SubjectName)

  3. Confirmation Method (bearer, holder-of-key, sender-vouches)

  4. Statement Type (Authorization, Authentication, Attribute)

  5. Dynamic Time Stamps, Time-to-Live, Include Not-Before, Include, Not-After

  6. Signatures

Issuing a valid SAML token requires time-related elements that have to be dynamically generated for each request. Timestamps, TTL, Not-Before, Not-After elements and attributes provide a temporal aspect to SAML assertions that have to be properly enforced by the services endpoint (server, or gateway) and have to be fully tested using dynamic tools such as SOAPSonar. It is also recommended that the integrity of the SAML assertion be maintained through signatures on the assertion. This signature has to be properly generated by the client (SOAPSonar for testing) and properly verified by the service endpoint.

A trial enterprise version of SOAPSonar can be downloaded here.

Sunday, July 05, 2009

Intro to SOA Regression Testing: A Hands-on Approach

Here's a hands-on approach to SOA-based Regression Testing using XML/Web Services that is useful for developers and SOA QA professionals who want to ensure that the rapid pace of changes made to web services do not degrade the quality of their services.

Intro to SOA Regression Testing: A Hands-on Approach

In this article, techniques for SOA Regression Testing through a hands-on approach are described with a walk through of:

  • Setting up a simple web services consumer (client) and producer (server) environment.
  • Establishing an external MS Excel data source for driving test scenarios.
  • Recording an acceptable base-line run.
  • Simulating regression by changing producer service.
  • Re-running external test data and identify producer service regression.

This article was initially published on Code Project by Crosscheck Networks, Inc.

Wednesday, June 24, 2009

SOA Security Testing - XML Gateways

SOA/XML Gateways are a secure bridge that integrate enterprises with their trading partners while ensuring that the information flow upholds the tenants of information assurance: privacy (encryption), integrity (signatures and schemas) and traceability (audit and archive). SOA Testing XML Gateways requires significant functional depth across security attributes (SSL, WS-Encryption, WS-Signatures), identity facets (SAML, WS-UserName, WS-X.509, WS-Kerberos), structural tests (Schema and Schematron) as well as message exchange patterns based on XML, SOAP, and REST.

Forum Sentry is one such XML Gateway with significant differentiating emphasis on security. Jason Macy, VP Engineer and CTO at Forum Systems recently recorded an informative webcast highlighting the security for XML Gateways. Once such Gateways are deployed, using comprehensive SOA Testing products such as SOAPSonar is essential to ensure that the gateway is operating as expected.

  • For more information on SOA Testing Techniques, click here.
  • For more information on XML Gateways, click here.

Monday, June 15, 2009

SOA Build, Test and Secure Paradigm

With the recent Crosscheck Networks' acquisition of Forum Systems, the SOA/XML landscape continues to trend towards market consolidation.  Enterprises now expect well-integrated products that help IT professionals across Web Service Life cycle and not just pre- or post- production alone.  

  • For building web services, consumers need to get their client-side code developed even before the services are ready.  This is where service simulation becomes critical.  
  • On the flip side, developers and testers of service providers (service endpoints) need to iteratively test the functional, performance and security characteristics of such services.  
  • Once the service endpoints are ready to go, an intermediate XML Gateway needs to be deployed to protect the endpoints.
Through well integrated products such as SOAPSonar, SOAPSimualtor and Forum Sentry, Crosscheck Networks and its wholly-owned subsidiary, Forum Systems, provide compreshensive Web Service Build, Test and Secure functionality for Industrial Web Services Deployments.

Monday, June 01, 2009

SOA Tips: Transaction Monitoring

Recently, I had a great conversation with Jack Vaughan on transaction traceability and monitoring with SOA. He graciously published some of our talking points under SOA Advisor, a useful section under SearchSOA.com that provides actionable tips on a variety of SOA, XML, and Web Services related topics including SOA Testing.

To see SOA Tips, see:

http://searchsoa.techtarget.com/tips/index/0,289482,sid26_tax309147,00.html

Thursday, February 05, 2009

SOA Testing and Simulation of HL7 v3 messages using Schematrons

In my discussions with engineers at Crosscheck Networks, I have come across an interesting use case in the health care industry where HL7 v3 - an ANSI health care standard modeling clinical, administrative, pharmacy, medical devices and imaging domains - is being deployed by the Dutch Government. The Dutch government's aggressive health care initiative in building a nationwide Health Information Broker (HIB) can serve as a good model for the current US Administration that is considering transforming US health care through nationwide electronic medical records (EMR) as one of its key policy initiatives.

In the Dutch health care technology infrastructure - based on Web Services enabled HL7 v3 specification - message exchanges take place between Health Information Systems via a HIB that maintains the necessary relationships between health care parties. The HIB is an intelligent message intermediary between entities involved in health care including providers, payers and pharmacies. The HIB ensures high quality and validity of health care information that reduces errors caused by manual information processing.
Crosscheck Networks SOAPSimulator and SOAPSonar are an integral part of the HIB to the extent that health care parties can only tie into the HIB if they meet message viability requirements set and enforced by Crosscheck SOAPSimulator at the HIB. The HL7 v3 message exchange criteria is set at the semantic level as well as the transmission level. With sophisticated use of standards such as WS-I Basic Profiles and Schematrons, custom health care semantic requirements and message transmission requirements are addressed.
Schematron assertions and rules provide a flexible way of capturing business domain specific rules that a message must meet for the message to be valid. This improves message interoperability between health care parties. Schmatrons enable business rules that can then be enforced on the HL7 v3 messages flowing through the Dutch HIB. SOAPSimulator is deployed as the message validity enforcer for HL7 v3 messages. As new health care parities get ready to integrate with the Dutch HIB, they must first satisfy the rules set in SOAPSimulator via Schematrons that check the correctness and validity of the HL7 v3 request and responses. Such checks serve as a pre-requsite for production-level integration and reduce interoperability issues between health care parties.

Figure 1: Configuring Schematron 1.5 Criteria Rules for HL7 v3 in SOAPSimulator



Figure 2: Configuring ISO Schematron Criteria Rules for HL7 v3 in SOAPSimulator


In addition to checking against Schematrons, SOAPSimulator checks against a number of additional criteria to ensure that the right identity and security constructs are being used in the message requests.

References:

1) Implementing Web Services in Dutch Health
2) Electronic Medical Records and Obama's Economic Plan
3) http://www.hl7.org/
4) Web Service Enablement of HL7 v3
5) An Introduction to Schematron
6) Crosscheck Networks SOAPSonar and SOAPSimulator