SOA Testing

SC Magazine Rates Forum Sentry Product Five Stars

2011-12-12T13:23:00.003-05:00

What's the difference between a Security Gateway product and a Enterprise Service Bus (ESB)? Security! You never let users develop and deploy custom code in a gateway. Custom SOA functionality is better suited for ESBs or application servers. Deploying such functionality in a SOA/XML gateway is fraught with risk. It breaks the key paradigm of separating security from application functionality. Security functionality should never be coded by an enterprise, it should only be configured.

Question: When was the last time you dropped custom code in your firewall?

The SC Magazine Product review of Forum Sentry, the leading security gateway in the industry validates this Security vs. ESB notion by choosing Sentry as the only SOA/XML gateway in the security product review category. Other gateways are merely application servers or ESBs with prepackaged security functionally that can be readily by-passed by the custom code that they run.

For detailed product review see: SC Magazine Forum Sentry

SaaS provider hooks frats to Facebook with help from SOA appliances

2011-12-05T13:47:00.000-05:00

James Denman's article shows a real-world example of how social media such as Facebook and SOA have converged. Web Portals now use rich content from a variety of sources and providers. Users are now not only expecting Web SSO, but also direct integration of their social media content with corporate services. The Facebook integration used for SSO highlights how SOA, SSO and Social media are now central to corporate IT services.

A Software as a Service (SaaS) provider specializing in financial and information services for Greek fraternal organizations has tapped into Facebook to provide its fraternity and sorority users with easier updates to information. At the same time, it has tapped into a rack-mounted SOA appliance to provide security and federation services.

OmegaFi is a SaaS specialist that offers a range of services tailored to the Greek crowd. OmegaFi was founded on chapter and alumni management tools but the portfolio has grown to include fundraising tools as well as information management services.

Forum Systems, a maker of security and identity management appliances for SOA systems, has been a part of OmegaFi's recent growth. According to OmegaFi CIO John Woolbright, Forum's Sentry XML gateway appliance has been instrumental. Woolbright said in a statement, "After collaborating with us to meet the requirements of a three-month proof-of-concept project, we selected Forum Systems as our provider of choice for security and federation."

For full article, see: SaaS provider hooks frats to Facebook with help from SOA appliances.

ITBusiness Edge: Old Reliable - FTP Still Relevant in an SOA, Cloud World

2011-08-03T11:27:00.001-05:00

Loraine Lawson covers "Old Reliable" FTP and its relevance to SOA and Cloud Computing. FTP is "reliable" as in "a reliable friend that you can always call," however, the protocol itself is not reliable for content delivery unless Managed File Transfer (MFT) type products are used to enable reliability using FTP. The article is well written and covers an important trend that brings SOA, Cloud Computing, and Managed File Transfer under a single, manageable umbrella. Excerpts from the article are below:

You would think that all this movement toward cloud and services and SOA would mean the end of things like managed file transfer and FTP. Instead, companies that offer these approaches are reinventing themselves and claiming new relevance.

Complete article: Old Reliable - FTP Still Relevant in an SOA, Cloud World

Updated XML gateway brings FTP under the SOA governance umbrella

2011-07-27T12:17:00.001-05:00

Jack Vaughan's recent article covers an important emerging trend: convergence between SOA and MFT technologies. Managed File Transfer (MFT) is a baseline mechanism for information movement within and across corporations using legacy protocols such as FTP. However, with the emergence of modern SOA-related protocols, companies are now migrating away from less secure and less reliable MFT transport protocols. This trend is also driven by regulatory requirements including PCI, HIPPA, and GLB

Link to Jack's article: Updated XML gateway brings FTP under SOA Governance umbrella.

Excerpt from the article:

Despite SOAP and SOA inroads, the vaunted File Transfer Protocol (FTP) continues to flourish in organizations that - not surprisingly – need to transfer files. Finance and banking both represent FTP bastions – although both sectors are also on their way to becoming SOA strongholds of sorts.

Bringing FTP - originated in the 1970s - under the general umbrella of governance is an eventual goal for many of these companies. Forum Systems, a Crosscheck Networks' subsidiary, seeks to support such efforts with a recent update to the Forum Sentry Gateway.

The latest version of the gateway offers content-level security for structured and unstructured data for documents of unlimited size using the OpenPGP standard, while also enabling message transfers over a variety of secured and unsecured transport protocols. Moreover, the software allows organizations to plan migrations from batch FTP processing to SOAP with Attachments (SwA)(MIME, DIME, MTOM), while using existing centralized governance policies across both legacy and modern message formats.

SC Magazine: Federation 2.0 - An Identity Ecosystem

2011-07-05T10:06:00.001-05:00

Deb Radcliff's defining, informative and well thought out article on the current state and future of Federated Identity is a must read for all SOA, Networking and Security professionals. According to Deb (excerpts from article):

Federated identity, the process of authenticating someone across multiple IT systems and organizations, is taking on new meaning with the growth of cloud and mobile.

Synovus Bank, with 30 banks on the East Coast, didn't want to manage the identities of its approximately 100,000 commercial and 200,000 home-based customers. It also wanted its identity management to occur outside its firewall. So Synovus recently started using Crosscheck Network's Forum Sentry XML Gateway service between these users and their applications.

“Users and their sessions authenticate on the Forum structure, their SAML assertions are signed by Forum, and Forum also issues their secure tokens,” says Santosh Kokate, lead technical analyst with Synovus. “The beauty is I have online banking sitting safely behind the identity gateway and the identities and authentication are established there. I don't have to manage those identities or write a single line of code to make federation happen.”

Synovus also supports authentication for mobile users through REST (Representational State Transfer), which supports HTTPS-based assertions for when Kokate estimates are 8,000 mobile banking customers at this point (and more planned in the future). Because Synovus' intermediary, Crosscheck, supports these and other standards, Synovus can adapt to different types of identity federation requirements as needed.

For complete article, click Federation 2.0: An Identity Ecosystem.

Network Computing: SOA Security = XML + WAF

2011-04-25T12:53:00.000-05:00

WAFs are well designed for protecting static HTML traffic, however, with the wide proliferation of SOA and the reuse of SOA-based components in dynamic web portals, significant XML, JSON and other non-HTML traffic is now generated from portals. Handling security for sophisticated web portals requires functionality beyond that available in Legacy Web Application Firewalls (WAFs).

Network computing recently published a review of the industry-first integrated WAF + XML appliance, Forum Sentry WAF:

Forum Systems Integrates XML Gateway, Web Application Firewall On Single Appliance

SOAPSonar 6.0 from Crosscheck Networks Capable of Testing Unlimited Users in Cloud

2010-12-21T14:15:00.000-05:00

Here an article covering SOAPSonar 6.0, the leading SOA Testing product. The latest version provide a number of capabilities including testing cloud providers as well as testing using clouds.

For detailed article, see: SOAPSonar 6.0 from Crosscheck Networks Capable of Testing Unlimited Users in Cloud

Financial firm finds highly scaled testing for proliferating SOA services

2010-12-16T18:05:00.000-05:00

Jack Vaughn, Editor-in-Chief of SearchSOA published this article on real life scenarios in SOA Testing and general SOA adoptions trends. Article highlights are as follows:

a well built re-usable service will have high demand and a high number of transactions and consumers
through automated SOA Testing products such as SOAPSonar, 100% scenario coverage is possible
endurance and performance testing are also a core part of SOA Testing.
Service traffic includes traffic from RESTful services and has resulted in portals driving overall JSON, XML and SOAP message structures. It's not just about A2A communication driving this traffic anymore.

Detailed article: Financial firm finds highly scaled testing for proliferating SOA services

Forum Systems: The only patented replacement to Cisco ACE Gateway

2010-11-30T21:13:00.000-05:00

Jim Duffy's Network World Blog -- the Cisco Connection -- highlights the Cisco ACE XML Gateway replacement offered by Forum Systems, a wholly owned subsidiary of Crosscheck Networks. Forum Systems is the only patented XML Gateway in the industry. Migrating to non-patented products from other XML vendors exposes corporations to excessive liability and non compliance. Furthermore, "me too" technologies that copy leading patented products eventually fade away much like the Cisco ACE XML Gateway.

For the complete article, see: http://www.networkworld.com/community/blog/third-option-cisco-ace-xml-gateway

Forum Systems Cisco Replacement Program:

Program Details: http://www.forumsys.com/products/cisco_ace_replacement.php
Best Practices: http://www.forumsys.com/resources/cisco-ace-replacement-program.php

Forum Systems Other Gateway Replacement Programs:

IBM DataPower: http://www.forumsys.com/products/datapower_replacement_eol.php
Other NON-PATENTED Gateways: http://www.forumsys.com/products/xml_gateway_replacement.php

Cisco ACE Replacement Strategy: Choosing the right XML Gateway

2010-11-08T10:42:00.000-05:00

XML Gateways are a core component of SOA deployments. SOA testers, developers, architect are intimately familiar with XML Gateways as a central component for enabling XML Security, Integration, Identity and Management.

Recently, Cisco published End-of-Life (EOL) and End-of-Sale (EOS) notices to its customer base for the Cisco ACE XML Gateway.

Forum Systems pioneered the XML Gateway Appliance space in 2001 with the launch of its product Forum Sentry. A number of vendors followed this path by morphing their existing technologies to the XML Gateway Appliance space. Reactivity, the company Cisco acquired for a $135M in 2007 was one such company that changed direction to enter this space.

In 2003, Network Computing published a bake-off between vendors in XML Gateway space. Reactivity (acquired by Cisco), DataPower (acquired by IBM) and a number of other vendors including Forum Systems, Westbridge, Verisgn were also a part of the assessment. Looking back at this vendor assessment, one can see a clear trend: companies that changed their directions to come after the pioneer (Forum Systems) eventually gave up on the space.

Although the strategy of a company changing direction to follow a viable market seems like a good idea at that time, it has profound implications in the future. When a product is not built ground-up to address a specific market, architectural comprises ensue that result in the demise of such products in the future. The key factor in picking any technology solution is to identify the leaders and the followers.

New vendors continue to follow the leader in the XML Gateway space, by changing their ESB products to look like XML Gateways, however, they lack the innovation and intellectual property established by the leader. See fore example, Forum System Issued Patent 7,516,333 for XML Security Gateway.

As corporations replace their XML Gateway from Cisco ACE or any other non-patented product, they should consider the following points:

Select a patented product or face replacement issues as the patents are enforced.
Pick an XML Gateway and not a product that is like an ESB/Application server.
Demand an Independent Security Assessment on the ENTIRE XML Gateway.
Validate feature/function availability and innovation leadership.
Demand flexible replacement costs and options.

For a detailed article on Cisco ACE replacement strategy, see Cisco ACE Gateway EOL: How to Pick a Replacement XML Gateway.

For Cisco ACE Replacement Programs, see Cisco ACE Replacement.

MIT System Design and Management Program Hosts Experts on Cloud Computing, Entrepreneurship, Leadership

2010-08-05T13:25:00.000-05:00

The MIT System Design and Management (SDM) summer 2010 business trip kicked off at the Faculty Club with a keynote address on entrepreneurship and leadership by Mamoon Yunus (MIT Mechanical Engineering, 1993 and 1995), President and CEO of Crosscheck Networks.

Yunus, who was introduced by Unatek CTO Charles Iheagwara (SDM 2010) after an opening statement by SDM director Pat Hale, saw a "gap" in the cloud computing movement and in 2004 founded Crosscheck to build technology that would scrub XML traffic in the cloud. Seeing gaps, said Yunus, is key to success.

"You can’t innovate in a vacuum," Yunus said. For example, after speaking at Harvard Business School he was approached by several MBA students who asked him, "‘How does one generate ideas? We know business, but are looking for ideas where we can apply our business skills."

Read More >>

Understanding Enterprise-to-Cloud Migration Costs and Risks

2010-07-09T11:04:00.001-05:00

For CIOs, CTOs and business application architects, cloud computing has become inescapable aspect of their overall IT strategy. As businesses consider approaches to migrating parts of their infrastructure to the cloud, IT organizations wrestle with fundamental questions such as:

What applications or its components should be migrated to the cloud?
What should be the order/priority of migration?
Which IaaS cloud provider should be selected based on application performance and reliability requirements?
How do I mitigate enterprise-to-cloud migration risk?

Without addressing such questions, enterprises are faced with ad-hoc decisions during their cloud migration process that can add immeasurable risks to their business operations and undermine the efficiencies that they seek by migrating to the cloud.

This article, Understanding enterprise-to-Cloud Migration Costs and Risks, tackles these issues and helps companies in making informed and measured decisions regarding their cloud migration strategy.

Europe CloudExpo : Understanding Enterprise-to-Cloud Migration Costs and Risks

2010-06-25T16:10:00.003-05:00

Migrating to Infrastructure-as-a-Service (IaaS) is an attractive option for corporations that want to shift from a capital expense to a pay-as-you go model. Regardless of the business driver for cloud computing, of which there are many including reducing costs and adding nimbleness, large enterprises are now faced with re-evaluating their core IT assets with an eye towards enterprise-to-cloud migration for improving business efficiencies. However, beyond qualitatively appreciating the benefits of cloud computing, IT executives lack the ability to quantitatively assess the risk-reward structure of which application should be migrated from the enterprise to a cloud. Without having a quantifiable impact assessment of migrating enterprise resources to a cloud, enterprises are faced with ad-hoc decisions during their cloud migration process.

For all tracks and sessions presented during this event, see:
http://cloudexpo-europe.com/?q=event/sessions

Using SQL Azure for SOA Quality Testing

2010-05-24T10:04:00.000-05:00

SQL Azure provides affordable and rapid collaboration across SOA Test teams using SOAPSonar, the industry leading, comprehensive SOA and Cloud Testing product. This article provides an overview of using a shared repository: SQL Azure for collaborative SOA testing across dispersed SOA Test teams.

SQL Azure is a promising option for corporations that deploy Micrsoft technology and are interested in leveraging cloud computing to reduce IT costs and respond rapidly to business requirements. For companies that are simply looking for hosted relational databases, other options such as MySQL hosted by Amazon EC2, Rackspace, GoGrid or OpSource serve as strong alternatives.

Our impressions of SQL Azure have been positive. Through firewall rules, security provisions are adequete and not overwhelming for database and application developers. We do expect a richer web-based management interface in the future that goes beyond just creating an dropping databases. Although SQL Management Studio, installed locally on your machine, provides powerful management capabilities, it dilutes the power of installation-free, cloud-based components.

Corporations can use Quality Assurance and Testing as low-hanging use-cases for cloud computing. Companies should be less concerned about storing test data in external clouds compared to, for example, real customer data. Using SQL Azure for SOA test automation provides better collaboration for test teams, ease of database management and a cheaper alternative to procuring and maintaining on-premise test infrastructure.

For complete article, see: http://soa.sys-con.com/node/1379631

Network World: 15 Cloud Companies to Watch - Crosscheck Makes the List

2010-05-10T08:34:00.003-05:00

Innovative vendors offering ways to make the transition to a cloud-based world less daunting.

Here are excerpts from the article published by Beth Schultz of Network World:

Why we're watching the company: Service-oriented architecture (SOA) testing companies have begun rounding out their product lines with tools aimed at giving IT organizations more confidence as they plan for application migrations to the cloud. The product can also ease the infrastructure and cost burdens of building out lab environments.

With CloudPort, developers can profile and measure the impacts of moving to cloud platforms while modeling the risk and cost benefits, the company says. From a central console, the tool provides information about cloud providers such as performance metrics, geographic latency and service initiation times; outages and application error states; and security, capacity and interoperability. Plus, it offers the ability to run what-if modeling scenarios. It leverages cloud instances from Amazon EC2, OpSource Cloud, GoGrid and Rackspace, and says its pay-as-you-go model lets enterprises realize cost savings of up to 60% when compared to reference architectures, while compressing the services life cycle and reducing time-to-market.

Who heads the company: CEO Mamoon Yunus, who founded Forum Systems, where he pioneered Web services security gateways and firewalls.

How the company got into cloud computing: Crosscheck comes from the Web services/SOA testing world. As SOA and virtualization come together in the cloud, adding cloud testing tools to its portfolio was a logical next step.

For complete article, see:
http://www.networkworld.com/supp/2010/ndc3/051010-ndc-cloud-companies.html?page=3

CTOEdge: Crosscheck Models Cloud Computing Performance

2010-04-26T11:28:00.000-05:00

"One of the biggest problems with cloud computing is that IT organizations are hesitant to move an application into the cloud when they don’t know what to expect in terms of performance. Crosscheck Networks intends to help IT organizations overcome that uncertainty with a new modeling tool for cloud computing called CloudPort. " Mike Vizard, CTOEdge
For complete article, see: http://www.ctoedge.com/content/crosscheck-models-cloud-computing-performance

SOA-Cloud Testing: CloudPort simulates data-center to cloud migrations

2010-04-12T10:48:00.000-05:00

In the absence of quantifiable data, enterprises are challenged to make well-informed choices when it comes to migrating to the cloud. Instead, they often find themselves forced to make these strategic decisions based on ad-hoc or partial information. This is a risky and unproductive approach, especially when typical migration process requires moving numerous components -- including databases, application servers, ESBs, identity stores, and BEPL orchestration engines -- to the cloud. Once a full reference system is deployed, the behavior of the enterprise applications interacting with the cloud-based components must be tested -- using customized production code. This is an expensive, time-consuming and potentially error-prone proposition.

With CloudPort, enterprises benefit by never having to touch production code -- while eliminating the substantial time, capital and IT staff resource expenses related to building a distinct cloud test environment.

For further information, see SD Times article:
http://www.sdtimes.com/link/34249

For details on CloudPort, see:
http://www.crosschecknet.com/products/cloudport.php

The modern XML Gateway appliance: from acceleration to integration an into the cloud

2010-03-29T15:06:00.000-05:00

XML appliances, a core component of IT deployments, process XML-based information including SOAP and REST messages. In the early 2000s, the first phase of XML appliances focused on providing security at the enterprise edge where traditional firewalls could not prevent against XML-based threats. As XML adoption increased, accelerating XML traffic that is typically bloated and verbose became a requirement. This is where companies such as Forum Systems pioneered the first XML appliance with acceleration, security, and threat mitigation functionality. Forum Systems was granted a patent for XML Appliances in 2009 for its visionary work in XML security, acceleration and threat mitigation.

The second stage of XML Appliance evolution was to add significant support for the enterprise ecosystem; including transport protocol support - required for moving messages around; identity management support - required for interact with existing identity management solutions for authentication and authorization decisions; and monitoring and governance support - for enterprise-level management and monitoring of appliances and transaction flow.

Almost a decade later, XML appliances are now in the eye-of-the-storm again. As enterprise build private clouds and off-load commodity functions to public clouds, XML appliance are serving a critical part in acting as an enterprise-to-cloud gateway. Since its inception, XML appliances have been used for controlling and securing enterprise-to-SaaS interaction. This XML Appliance function has now evolved to controlling enterprise-to-IaaS (Infrastructure as a Service) interaction. For more about XML appliances see:

http://searchsoa.techtarget.com/news/article/0,289142,sid26_gci1445628,00.html

Customer Case Study: SOA and Cloud in 2010 - Talking with Crosscheck and Omega Financial

2010-02-22T12:03:00.000-05:00

Insightful podcast by Jessica Ann Mola, Managing Editor at eBizQ with John Woolbrigth, CIO of Omega Financials and former CTO of Synovus Financial and Mamoon Yunus, CEO of Crosscheck Networks that explores the following items:

Defining cloud computing. Are SOA and cloud synonymous?
Pre-requisites and barriers to enabling cloud computing in an enterprise IT infrastructure.
Impact of current economic climate as hurting or helping cloud/SOA adoption.
Architectural moving parts necessary for building SOA.
Real-life, high-scale SOA and cloud-based deployments.

"Cloud and SOA are not really synonymous; they're more supportive of each other...SOA enables cloud computing." - Mamoon Yunus

"There are three or four things that can get you to a place to take advantage of cloud computing..." - John Woolbright

eBizQ: SOA and Cloud in 2010: Talking with Crosscheck and Omega Financial

Tale of Two XML Gateways

2010-02-01T14:32:00.000-05:00

Here's an interesting article on XML Gateways, their use in SOA deployments, and a comparison between hardware, software and cloud-based form factors. SOA Tester have to be cognizant of identity, encryption, and signature artifacts that are consumed and generated by XML Gateways so as to build proper test cases for comprehensive end-to-end SOA testing.

Tale of Two XML Gateways
— These days XML Gateways are a core infrastructure component of any enterprise SOA deployment. XML Gateways provide the ability to integrate services securely with granular access control, data-level encryption, integrity through signatures and XML threat mitigation. XML Gateways can be deployed as a hardware appliance or as a software gateway. Both these form factors have their advantages and disadvantages. This article provides readers a quick synopsis of the advantages and disadvantages of each form factor.

XML Threat and Trust Modeling and Testing

2010-01-25T11:36:00.000-05:00

Understanding XML Threat and Trust models enables SOA testing and QA professionals to build robust test suites that verify functional, performance, interoperability and security profiles of Web services. SOA testing has to cover a XML identity tokens, XML signature generation and verification, and XML encryption-decryption to establish trust. The test suites have to ensure that trust-based artifacts are scalable and interoperable. In addition to testing such trust-based artifacts, SOA testers have to ensure that the web services have threat mitigation in place against threats such as SQL Injection, Denial of Service attacks and Malware threats over SOAP and XML traffic.

Here is an article published on XML Threat and Trust Models:

XML Security Trust and Threat Models for Dummies
— It is very rare today to find a business application that has not exposed its interface via SOAP/XML. XML is the building block that enables business or consumer applications to exchange data in a standard structured format. The exchange of XML data typically takes place through an SOAP/XML interface based on the Web Services standard or through the REST-based standard. These flexible standards that richly describe interface functions of an application also introduce a host of XML and Web Services security vulnerabilities. This article is a quick start guide to most common XML and Web Services security vulnerabilities and the two basic security models they follow.

Full Article: XML Security Trust and Threat Models for Dummies

Forum Systems joins Cloud Security Alliance

2010-01-19T14:17:00.000-05:00

BOSTON--Forum Systems, a wholly owned subsidiary of Crosscheck Networks, Inc., today announced that it has joined the Cloud Security Alliance to help further the organization’s efforts in the areas of data security, privacy and integrity best practices. An early sponsor of the Cloud Security Alliance, Forum Systems recognized the fundamental need in providing security assurance within cloud computing environments. As a Cloud Security Alliance Corporate Member, Forum Systems advocates that enterprises must first establish secure XML, SOAP and REST-based transactions before implementing their cloud-based initiatives.

Read Full Description >>

Strategies for Securing Enterprise-to-Cloud Communication

2010-01-15T13:39:00.001-05:00

Extending corporate boundaries to cloud infrastructure providers requires focused review of security practises used to integrate from the enterprise DMZ to external trading partners. Here is an article that covers Enterprise-to-Cloud communications issues and how best to prepare from them. SOA Testing and XML Gateway play an intergral part in ensuring that the security provisions are well tested and strictly enfored while interacting with cloud providers.

Strategies for Securing Enterprise-to-Cloud Communication
— The Cloud Security Alliance (CSA) published Version 2.1 of its Guidance for Critical Areas of Focus in Cloud Computing with a significant and comprehensive set of recommendations that enterprises should incorporate within their security best practices if they are to use cloud computing in a meaningful way. The Guidance provides broad recommendations on operational security concerns including application security, encryption & key management, and identity & access management. In this article, we will consider security implications of REST- and SOAP-based communication between consumers and specifically, Infrastructure as a Service (IaaS) providers.

Federated SOA impacts SOA Testing

2010-01-07T15:34:00.002-05:00

Comprehensive SOA testing, using commercial and mature products such as SOAPSonar from Crosscheck Networks, is critical for companies as they expand beyond their localized SOA domains and integrate with SaaS, PaaS, and IaaS providers to build a Federated SOA. Here's an article that highlights the relationship between Federated SOA and Cloud Computing.

Federated SOA: A Pre-requisite for Enterprise Cloud Computing
— Successful enterprise SOA implementations build on a set of localized, project-level efforts with services that have clearly identified and accountable business and technology owners. Ownerships defines a SOA Domain. SOA domains may exist within corporate boundaries or may be provided as services by third parties. Deciding what services are core to a business owner and should be implemented within her/his domain versus consumed from another SOA domain becomes a critical part of building Federated SOA. Understanding core capabilities provided by SOA domains is a crucial task at the enterprise-level for encouraging efficiency through re-use and for keeping focus on core business services.

As SOA domains mature, key issues arise in enabling "SOA Domain Jumping," -- easily and rapidly integrating with other SOA domains. Here are the top three Federated SOA requirements that corporations must first address before embarking on a meaningful and sustained cloud computing deployment.

Hidden Cost of Open Source SOA Testing Tools

2010-01-04T11:48:00.004-05:00

Here is an interesting article that appeared on sys-con regarding the hidden costs associated with using open source frameworks for SOA Testing. Corporate business process security, interoperability and scalability may depend on the kind of tools one chooses for testing services and may significantly contribute to the overall success a company's ability to safely add a growing number of business partners to its ecosystem.

Hidden Cost of Open Source SOA Testing
— Adopting an open source tool for SOA testing seems the simplest, most cost effective choice for developers and testers early on. However, you should plan and consider the implications of a longer term strategy with an open source testing tool. There are many aspects of service testing that contribute to a comprehensive solution across the SOA life cycle. Adopting a specialized tool for service testing is essential and will provide value, but may prove limiting if the adoption of the testing tool becomes something that can not grow with the business and maturity of your SOA strategy. This article will discuss some topics to consider before jumping headlong into an open source free testing solution for your production services.

Service virtualization and its effect on SOA Testing

2010-01-01T18:19:00.002-05:00

The is article discusses the advantages of using service virtualization whereby, in the simplest case, you may import a number of WSDLs, aggregate them and then expose them via and XML Gateway, such as Forum Sentry, based on the credential presented. The impact of service virtualization on SOA testing is significant:

Remote services have to be tested independently.
Aggregated WSDL need to be tested.
User specific WSDLs generated by the Cloud/XML gateway have to tested.
The difference between gateway-generated services has to be reconciled with the remote services.
Identity tokens have to be generated for both remote services as well as the gateway to ensuring that the right authentication and authorization decisions are being enforced on the gateway.

References:

MIT Techology Review covers "Swamp Computing" a.k.a. Cloud Computing

2009-12-28T16:38:00.000-05:00

XML/SOA Testing of XML Security Policies (XML Encryption, XML Signatures) will become the centerpiece of Cloud-based deployments that are multi-tenant in nature and can inadvertently expose corporate information.

MIT Technology Review published an interesting article sumarized under MIT Technolgy Review covers "Swamp Computing"

Reducing the Complexity of Application Security

2009-12-22T18:09:00.030-05:00

Integration is the Enemy of Security and so is Flexibility - an attribute that is essential for organizations to survive. A corporation that cannot service its customers and suppliers, establish long sticky relationships with them and build an infrastruture that enables rapid addition of both suppliers, buyers and partners for information exchange will perish and get demolished by a nimble and flexible competitor whose infrastructure has integration capabilities for rapid information exchange.

Mike Vizard from CTOEdge talks about the business drivers that compel companies to integrate yet face security challenges that hamper integration efforts: Reducing the Complexity of Application Security

Here's a snippet from Mike's article:

"As business-to-business interactions over the Web become more pervasive, so too does the complexity associated with securing those transactions.

Unfortunately, all that complexity serves only to dissuade businesses from integrating business processes across the Web at a time when we want to encourage that behavior. So the challenge facing chief technologists is to find a way to make it simpler to integrate business processes without having to introduce complex layers of security."

Key components that help reduce (and improve) application security include:

Strong SOA Governance Enforecement, Monitoring and Security through XML Gateway such as Forum Sentry.
Portal and Web services Authentication and Authorization decisions through Secure Token Services such as Forum Sentry STS - Identity Broker.
Application Security Testing and Simulation through products such as SOAPSonar and SOAPSimulator for Identity, Privacy, Integrity and Penetration Testing.

Software Magazine: Crosscheck Networks SOAPSimulator adds JMS support

2009-12-17T18:23:00.002-05:00

Service Simulation is and essential component for end-to-end SOA Testing. Software Magazine recently published an article on SOAPSimulator, the only stand-alone service simulation product in the market for simulating Web services, XML, REST and SOAP.

A new version of SOAPSimulator from Crosscheck Networks, the company focused on products supporting reliable Web services, adds the ability to test large attachments via IBM MQ, Tibco EMS, WebLogic JMS and native Java Messaging Services adapters...read more>

SOAPSonar - QTP Job Posting

2009-12-15T09:00:00.003-05:00

The maturity of a market and a product can be judged by the related job postings. Much has been written and talked about SOA Testing, however, this data point -- A job posting looking for a Testing and Automation Professional -- validates three key trends:

The number of QA Professionals focusing on SOA Testing within an enterprise has hit a point where having SOA Test Tools, such as SOAPSonar from Crosscheck Networks, alone is not sufficient. A centralized defect tracking and test cases management infrastructure such as HP Quality Center is necessary for efficient collaboration. Incidentally, SOAPSonar is HP EMAP certified with deep integration with QC v10. For details on their integration see SOAPSonar EMAP Certification.
SOA Testing Skill sets are far along the comoditization trajectory with job positions not just in the US but offshore as well. This particular job posting is in Banglore, India.
SOA Testing requires complex skill sets including XML, SOAP, REST, WSDL, Database, Java, Message Queues, Automation Scripting, as well as fundamental Testing Techniques such as Black Box, White Box and Grey Box testing. The skill requirements will trend towards greater complexity as more IT assets are exposed using Web services and integrated with the SOA fabric.

SOA Testing Professionals will evolve as into high skilled individuals with diverse skills that touch almost all IT assets from networking to applications within and across enterprise boundaries. UI, Database and Application Testers will have to expand beyond their domains to keep up with the demands of SOA Testing.

Gartner AADI SOA Testing Sessions

2009-12-14T12:08:00.004-05:00

It was exciting to see the extent of interest and coverage on SOA Testing at the Gartner Application Architecture, Development and Integration (AADI) event in Las Vegas last week (December 7-9th). SOA Testing has become an integral part of Enterprise Application Life cycle Management and Thomas Murphy, Research Director at Gartner did a great job in covering the core aspects of SOA Testing at the show is the following session:

SOA Testing: Confronting the Nightmare of Testing Shared Services: The Key Issues that were covered included:

How will application testing and quality be affected by the shift to SOA and Web 2.0 technologies?
What metrics will be effective at driving improvement and assessing the efforts of those collaboratively performing the development and testing of software services?
Which tools will provide the best productivity and understanding of software quality and testing for the current and future SOA applications and platforms?

For more details about the SOA Testing Sessions at Gartner, click here.

SOA Appliance for Cloud Computing

2009-12-10T14:15:00.004-05:00

Building a robust SOA is a pre-requisite to cloud computing. Without solid provisions for SOA Testing, SOA Governance, and Federated SOA, large enterprises will unlikely embark on cloud computing initiatives that truly span Infrastructure as a Service (IaaS), Platform as a Services (PaaS), or Software as Service (SaaS).

The article below shows one of the core building blocks required for an enterprise SOA deployments - Identity Management and Enforcement. Forum Systems has recently announced Forum STS - a SOA Appliance that enables Cloud computing by managing identities within and across SOA domains. For more details, see article published by Liz McMillan:

SOA Appliance for Cloud Computing
— Web services-based Service Oriented Architectures (SOA) enable communication via ubiquitous standards such as XML and SOAP. To foster efficient, effective message exchange and satisfy increasing user demands for real-time, aggregated information from internal and external business partners, trust must be established among all entities. Comprehensive mediation, authentication, and authorization of identity exchange among customer and partner portals, Web applications, and XML-based Web services provide the business with a simplified, coherent model for identity management and build the pillars of Federated SOA.

SOA Testing in a Federated SOA environment

2009-11-13T09:08:00.008-05:00

According to Massimo Pezzini, VP and Gartner Fellow, "Federated SOA is a systematic approach to large-scale, enterprise wide SOA that enables organizations to integrate semi-independent SOA initiatives. Often used to fix an initial lack of coordination, federated SOA should be proactively pursued from the inception of major, strategic SOA initiatives." -- Divide and Conquer: Taming Complexity Through Federated SOA.

The technology implication of Federated SOA has pushed towards a convergence of XML/Web services with HTML/Portal technologies. This has a significant impact on industry expectations on SOA Testing Tools, B2B Gateways, Application Servers and XML Gateways. For example, the latest announcement by Forum Systems, the leader in XML Gateway technology, indicates a move towards Federated SOA. See:

Forum Systems Drives SOA Federation

Continuing to set the benchmark for securing Web services, key new capabilities available via Forum Sentry include:

HTML Portal Virtualization – Deployed in a “proxy” setting, Forum Sentry removes the identity and security burden from Web sites and portals. Leveraging Single Sign On (SSO) functionality across existing infrastructures, Forum Sentry’s non-intrusive, agent-less design accelerates security and identity on a dedicated device – without requiring code changes to back-end Web applications and services, or additional capital expenditure costs.
Central Cookie and SAML Processing – Forum Sentry authenticates and authorizes both portal- and Web services-related identity tokens – the cornerstones of Federated SOA. Credentials are shared – regardless of where the services reside – throughout the entire transaction, producing an enhanced, seamless user experience without compromising security.
Federated Two-Factor Authentication – Promoting greater security, Forum Sentry requires two pieces of information for identity verification of internal and external partners. It removes the complexities so often associated with token sharing across portals and Web services, while still enforcing the highest levels of authentication and authorization.
Protocol/Document Attribute Mapping – Promoting greater ease of use, HTTP/HTML header information can be mapped into messages and documents. User information from HTTP can be transferred into a SOAP or XML message for usage elsewhere in the network – independent of protocol – enabling SOA Federation across both XML and HTML traffic.

The impact of transactional components such as Forum Sentry towards Federated SOA means that testing, monitoring and diagnostic tools now need to converge towards handling not just XML/WS traffic, but also provide the ability to test the HTTP stack as well. This is a natural fit for XML/SOA Testing vendors such as Crosscheck Networks since their core focus has been deeper in the packets in parsing and manipulating complex XML data. Floating up from the deep packet manipulation to the shallow HTTP header testing and manipulation is a simpler task that SOA testing products such as SOAPSonar are very capable of handling.

Federated SOA essential aspects: SOA Testing, SOA Identity and SOA Security

2009-11-02T17:03:00.005-05:00

Here is an interesting article by Rob Barry titled: "I n SOA, cloud resources may exacerbate security and file transfers issues." It highlights significant requirements for Federated SOA especially around large file transfer using Web services attachments. The article makes the following interesting points:

Attachment sizes are increasing driven by cloud computing such as transferring large files to Amazon S3 or a companies internal cloud.
MTOM and MIME are used now for real time file transfer over web services instead of FTP or classic MFT protocols.
Identity is critical to Federated SOA.

Standards such as MIME and MTOM are now being heavily deployed. For a deeper understanding regarding how MTOM works, see "Intro to MTOM."

Link to article by Rob Barry: http://searchsoa.techtarget.com/news/article/0,289142,sid26_gci1373331,00.htmll

Techniques in Attacking and Defending SOA-XML-Web Services

2009-10-22T12:59:00.003-05:00

At OWASP AppSec, Washington, DC, Crosscheck Networks will present a session titled, “Techniques in Attacking and Defending XML/Web Services.” This session will examine the strategies in identifying new attack vectors and classifying security threats, including SQL Injection, Denial of Service (DoS) and XSD Mutation. Additionally, the Crosscheck Networks senior executives will offer countermeasure best practices to mitigate the risk of, and exposure to, those identified XML security threats.

To register, click here.

Undertanding XML Gateways

2009-08-05T13:13:00.004-05:00

The Washington Post published an interesting article highlighting security vulnerabilities in XML. The article titled XML Flaws are pervasive reinforces the need for XML Gateways such as Forum Sentry as a line of defense beyond what is provided by classic IP firewalls.

Also, for pre-production or post-production XML/SOAP-based services, using SOA Testing products such as Crosscheck Networks SOAPSonar provides extensive Security Testing to identity XML-related flaws. Once identified, the remediation strategy can involve:

code-refactoring that can have a serious cost and production up-time impact
deploying XML Gateways with general a application specific XML protection policies

Time and cost savings aside, using XML Gateways to protect XML Flaws, as highlighted by the Washington Post article, has a significant architectural advantage of decoupling application business logic from application security.

SOAPSonar vs. SOAPUI

2009-07-21T12:30:00.005-05:00

Here's an interesting article that talks about SOAPSonar vs. SOAPUI.

SOAPUI vs. SOAPSonar

SOAPSonar has been dominant in the SOA Testing space and is the only product that provides comprehensive SOA Testing across Functional, Performance, Interoperability and Security domains. Crosscheck Networks, the provider of SOAPSonar, recently acquired Forum Systems. With this acquisition, Crosscheck Networks now provides a wide array of integrated product offerings that comprehensively covers services life cycle across building, testing and securing SOA deployments.

Here's another article that highlights why a testing tool that is commercially built is better suited for SOA Testing: Limits of Open source SOA Testing tools.

How-to test SAML tokens

2009-07-06T11:17:00.010-05:00

SAML tokens are often used with XML and SOAP messages for identity related functions. Typically an XML Gateway, such as Forum Sentry, or an application server such as SAP Application Server consume or generate SAML artifacts for Authentication and Authorization or carrying Attribute information from the sender.

For testing SOA deployments that use SAML tokens, SOAPSonar from Crosscheck Networks provides all the provisions required to dynamically construct and send SAML tokens within a web services invocation. The configuration screen for the SAML tokens that supports both SAML 1.1 and SAML 2.0 provides the flexibility to set:

Issuer

Name Identifier (emailAddress, unspecified, entity, kerberos, persistent, transient, unspecified, X509SubjectName)

Confirmation Method (bearer, holder-of-key, sender-vouches)

Statement Type (Authorization, Authentication, Attribute)

Dynamic Time Stamps, Time-to-Live, Include Not-Before, Include, Not-After

Signatures

Issuing a valid SAML token requires time-related elements that have to be dynamically generated for each request. Timestamps, TTL, Not-Before, Not-After elements and attributes provide a temporal aspect to SAML assertions that have to be properly enforced by the services endpoint (server, or gateway) and have to be fully tested using dynamic tools such as SOAPSonar. It is also recommended that the integrity of the SAML assertion be maintained through signatures on the assertion. This signature has to be properly generated by the client (SOAPSonar for testing) and properly verified by the service endpoint.

A trial enterprise version of SOAPSonar can be downloaded here.

Intro to SOA Regression Testing: A Hands-on Approach

2009-07-05T20:16:00.002-05:00

Here's a hands-on approach to SOA-based Regression Testing using XML/Web Services that is useful for developers and SOA QA professionals who want to ensure that the rapid pace of changes made to web services do not degrade the quality of their services.

Intro to SOA Regression Testing: A Hands-on Approach

In this article, techniques for SOA Regression Testing through a hands-on approach are described with a walk through of:

Setting up a simple web services consumer (client) and producer (server) environment.
Establishing an external MS Excel data source for driving test scenarios.
Recording an acceptable base-line run.
Simulating regression by changing producer service.
Re-running external test data and identify producer service regression.

This article was initially published on Code Project by Crosscheck Networks, Inc.

SOA Security Testing - XML Gateways

2009-06-24T14:41:00.006-05:00

SOA/XML Gateways are a secure bridge that integrate enterprises with their trading partners while ensuring that the information flow upholds the tenants of information assurance: privacy (encryption), integrity (signatures and schemas) and traceability (audit and archive). SOA Testing XML Gateways requires significant functional depth across security attributes (SSL, WS-Encryption, WS-Signatures), identity facets (SAML, WS-UserName, WS-X.509, WS-Kerberos), structural tests (Schema and Schematron) as well as message exchange patterns based on XML, SOAP, and REST.

Forum Sentry is one such XML Gateway with significant differentiating emphasis on security. Jason Macy, VP Engineer and CTO at Forum Systems recently recorded an informative webcast highlighting the security for XML Gateways. Once such Gateways are deployed, using comprehensive SOA Testing products such as SOAPSonar is essential to ensure that the gateway is operating as expected.

For more information on SOA Testing Techniques, click here.
For more information on XML Gateways, click here.

SOA Build, Test and Secure Paradigm

2009-06-15T14:32:00.005-05:00

With the recent Crosscheck Networks' acquisition of Forum Systems, the SOA/XML landscape continues to trend towards market consolidation. Enterprises now expect well-integrated products that help IT professionals across Web Service Life cycle and not just pre- or post- production alone.

For building web services, consumers need to get their client-side code developed even before the services are ready. This is where service simulation becomes critical.
On the flip side, developers and testers of service providers (service endpoints) need to iteratively test the functional, performance and security characteristics of such services.
Once the service endpoints are ready to go, an intermediate XML Gateway needs to be deployed to protect the endpoints.

Through well integrated products such as SOAPSonar, SOAPSimualtor and Forum Sentry, Crosscheck Networks and its wholly-owned subsidiary, Forum Systems, provide compreshensive Web Service Build, Test and Secure functionality for Industrial Web Services Deployments.

SOA Tips: Transaction Monitoring

2009-06-01T13:43:00.002-05:00

Recently, I had a great conversation with Jack Vaughan on transaction traceability and monitoring with SOA. He graciously published some of our talking points under SOA Advisor, a useful section under SearchSOA.com that provides actionable tips on a variety of SOA, XML, and Web Services related topics including SOA Testing.

To see SOA Tips, see:

http://searchsoa.techtarget.com/tips/index/0,289482,sid26_tax309147,00.html

SOA Testing and Simulation of HL7 v3 messages using Schematrons

2009-02-05T14:39:00.009-05:00

In my discussions with engineers at Crosscheck Networks, I have come across an interesting use case in the health care industry where HL7 v3 - an ANSI health care standard modeling clinical, administrative, pharmacy, medical devices and imaging domains - is being deployed by the Dutch Government. The Dutch government's aggressive health care initiative in building a nationwide Health Information Broker (HIB) can serve as a good model for the current US Administration that is considering transforming US health care through nationwide electronic medical records (EMR) as one of its key policy initiatives.

In the Dutch health care technology infrastructure - based on Web Services enabled HL7 v3 specification - message exchanges take place between Health Information Systems via a HIB that maintains the necessary relationships between health care parties. The HIB is an intelligent message intermediary between entities involved in health care including providers, payers and pharmacies. The HIB ensures high quality and validity of health care information that reduces errors caused by manual information processing.

Crosscheck Networks SOAPSimulator and SOAPSonar are an integral part of the HIB to the extent that health care parties can only tie into the HIB if they meet message viability requirements set and enforced by Crosscheck SOAPSimulator at the HIB. The HL7 v3 message exchange criteria is set at the semantic level as well as the transmission level. With sophisticated use of standards such as WS-I Basic Profiles and Schematrons, custom health care semantic requirements and message transmission requirements are addressed.

Schematron assertions and rules provide a flexible way of capturing business domain specific rules that a message must meet for the message to be valid. This improves message interoperability between health care parties. Schmatrons enable business rules that can then be enforced on the HL7 v3 messages flowing through the Dutch HIB. SOAPSimulator is deployed as the message validity enforcer for HL7 v3 messages. As new health care parities get ready to integrate with the Dutch HIB, they must first satisfy the rules set in SOAPSimulator via Schematrons that check the correctness and validity of the HL7 v3 request and responses. Such checks serve as a pre-requsite for production-level integration and reduce interoperability issues between health care parties.

Figure 1: Configuring Schematron 1.5 Criteria Rules for HL7 v3 in SOAPSimulator

Figure 2: Configuring ISO Schematron Criteria Rules for HL7 v3 in SOAPSimulator

In addition to checking against Schematrons, SOAPSimulator checks against a number of additional criteria to ensure that the right identity and security constructs are being used in the message requests.

References:

1) Implementing Web Services in Dutch Health
2) Electronic Medical Records and Obama's Economic Plan
3) http://www.hl7.org/
4) Web Service Enablement of HL7 v3
5) An Introduction to Schematron
6) Crosscheck Networks SOAPSonar and SOAPSimulator

Web Services Simulation

2008-11-17T14:32:00.001-05:00

What should you do in your web services project when you're ready to start building your web services client, but your producer services is not ready? The answer is simple: Use Web Service Simulation. The obvious advantages of Service Simulation are as follows:

Reduce Overall development time by making simulated services available before they are built.
Tell the client whether it's sending the right messages to the service. For example, the service may be expecting a SAML token and the body of the message has to be signed. A service simulator can ensure that the client (consumer) is indeed following such requirements even before the producer services are built.

Here's a whitepaper that provides details on how to use service simulation to shorten your SOA projects while making your service invocations cleaner and more interoperable.

Accelerate your SOA Projects through Service Simulation

The consequences of overlooking SOA testing blind spots

2008-11-13T14:38:00.002-05:00

Colleen Frye, News Writer for SearchSoftwareQuality.com published a valuable article on the consequences of overlooking SOA Testing Blindspots. Rizwan Mallal, quoted in this article, highlights a couple of solid technical points:

HTTP 200 codes, although important in web site testing, are insufficient for web services testing that requires deeper content inspection to decide whether a request-response pair is successful.
Simply sending the same message over and over again is Performance Testing is incorrect and flawed. Most endpoints enforce security that requires message uniqueness and detect for message replay-type attacks. Most testing tools that started as web application testing tools lack web services testing features and are inadequate for SOA Testing.

SOAPSonar from Crosscheck Networks, unlike other products in the industry is built ground-up for SOA/Web Service Testing and has all the XML, SOAP, WSDL, WS-Security, WS-Trust, MTOM type standards that are inherently available for functional, performance, interoperability and security testing with a very simple to use user interface that doesn't require an army of consultants to install and configure. Plus Crosscheck provides a Personal Edition of the product for free.

For a detailed article on SOA Testing Blindspots see: Watch your SOA Testing Blindspots

SOA Testing and Governance through WSDL Report Cards

2008-09-09T15:37:00.000-05:00

Are all WSDLs created equal? SOAPSonar 4.0 by Crosscheck Networks bring this age-old question from the metaphysical domain to the emperical domain by providing an easy-to-use report card.

Based on configurable governance rules, Developers and QA professional can now live in relative harmony by reviewing WSDL report cards during the SOA Lifecycle.

For detail on WSDL Report Cards, read the following article published by Rich Seeley, SearchSOA:

WSDL gets a Report Card

http://searchsoa.techtarget.com/news/article/0,289142,sid26_gci1329141,00.html#

Hardware-based SOA Testing

2008-09-03T13:52:00.000-05:00

Crosscheck Networks released an industry-first, hardware-based SOA Testing by intergrating SOAPSonar with Smart Cards produced by A.E.T. Europe B.V.

SOA Testing for signatures, encryption, decryption, and X.509 client authentication is now seamlessly provided within the SOAPSonar testing framework. SOAPSonar provides the ability to use keys from a SmartCard to perform digital signatures, encryption, decryption, and SSL X509 mutual authentication. SOAPSonar provides a native integration with A.E.T SafeSign Client software to dynamically access the digital keying information on the card.

For details, see: http://www.soatesting.com/2008/08/smartcard-testing-for-soap-and-web.html

Webinar on SOA Governance using Service Simulation

2008-07-18T14:59:00.001-05:00

On Wedneday, July 30 (11:00 am EST), Crosscheck Networks is scheduled to present a webinar on Design-Time SOA Governance using Service Simulation which basically means that you can mimic a web service before it is ready. Design-Time SOA Governance serves a number of key uses such as:

1) Web Service developers can start building consumer applications before the producer services are ready. SOA Testers can build their test suites even before the producer services are ready, thereby compressing the SOA Project Lifecycle.

2) Producer Service Developers can provide a portable serivce simulation with requirements that the consumers have to meet before consumer applications are allowed to invoke the producer services. The requirement can include message formats, security and identity standards expected by the producer services. Additional Business-level requirement can also be simulated such that for certain requests, a pre-set response is returned. Enabling a library of anticiapted request-response pairs for a service ensures that consumers can build robust applications before the services are available.

3) Generating WSDL report cards is essential in measuring the relative quality of WSDLs within a SOA deployment.

For details about the webinar, visit:

https://www1.gotomeeting.com/register/653854184

Techniques in Attacking and Defending SOA Web Serivces

2008-06-09T16:06:00.000-05:00

I am excited to co-host the first of a new series of webinars launched by Crosscheck Networks and Forum Systems on Techniques in Attacking and Defending SOA Web Services. If you are interested in SOA, SOA Gateways, SOA Governance and Security, SOA Testing, XML Firewalls, SOAP,XML, WSDLs, SQL Injection, Denial of Serivice Attacks, and SOA Identity please consider attending the webinar.

Title: Techniques in Attacking and Defending SOA Web Services.
Date: June 19, 2008 (Thursday).
Time: 1:00 pm Eastern.
To register: https://www1.gotomeeting.com/register/503736495

We are excited to see the level of interest and enthusiasm in this Webinar Series and look forward to exhibiting Attack and Defense techniques is SOA deployments.

SOA Testing Consolidation: Green Hat Software acquires Solstice Software

2008-05-29T10:18:00.001-05:00

Green Hat Software, a London, UK-based SOA Testing company has acquired Solstice Software a Delaware, US-based SOA Testing company. The consolidation in the SOA Testing space is expected as larger companies add SOA Testing to their portfolio of SOA products. Although this is a private-to-private merger/acquisition, it's a good move that will give the combined companies European and North America coverage and will help them to effectively compete against established SOA Testing players such as Parasoft, Crosscheck Networks, iTKO and Mindreef.

HP and IBM have been touting SOA Testing products, however, they lack the functionality, maturity and and install-base within SOA Testing space. HP "SOA Testing" approach comes from a registry-based (Systinet acquisition) and web site testing approach (Mercury acquisition), whereas IBM's SOA Testing approach comes from its Rational UML modelling division. Both HP and IBM have yet to become serious contender is the SOA Testing space.

http://www.ebizq.net/news/9657.html?rss

SOA Testing considerations for SOA Gateways

2008-05-25T20:12:00.001-05:00

SOA Testing touches a number of components within the IT Ecosystems including SOA Gateways. Since a SOA Gateway is usually deployed close to the corporate edge, rigorous SOA Testing ensures that traffic ingressing and egressing an enterprise are clean, secured and valid -backend systems should be able to parse them easily once the SOA Gateway has giving its stamp of approval about the quality of the message.

Download Paper (registration required):
SOA Gateways: Best Practices,Benefits & Requirements

This article published by Forum Systems - the pioneer of SOA Gateways - covers deployment best practices, benefits and requirements with a focus on service virtualization, message privacy and integrity, and message control and auditing. It will help the reader frame SOA Testing scenarios necessary for SOA Gateways.

"A SOA Gateway is a core infrastructure component of a SOA with the ability to integrate XML/SOAP-based services securely. Typically deployed as a hardware appliance, a SOA Gateway seamlessly controls access to services, protects information through data-level encryption, ensures the integrity of a message through signatures, and controls information flow."

New SOA Testing Tutorial Labs introduced at STAREAST 2008

2008-04-25T10:10:00.001-05:00

STAREAST 2008 - the "Greatest Software Testing Conference On Earth" - is taking place May 5-9, 2009 is Orlando Florida. I had the pleasure of the first, day-long SOA Testing conference back in 2006 with the Crosscheck Networks' team. This year, the team will conduct their signature day-long tutorial: "The Art and Science of SOA Testing" with a set of hands-on Labs that cover topics such as:

SOA Functional Testing
Operation Chaining
SOA Identity Testing
SOA Performance Testing
SOA Interop Testing
Automation through external Data Sources
SOA Regression Testing

As the SOA Testing industry matures, this tutorial continue to align its material and labs to provide attendees a solid grounding in what aspects of SOA Testing are essential for a successful SOA deployment.

Crosscheck Networks Announces New Product: SOAPSimulator

2008-04-18T14:12:00.001-05:00

Crosscheck Networks, the company that pioneered comprehensive SOA Testing through its product, SOAPSonar, has now launched a new "paradigm-shifting" product: SOAPSimulator that enables QA professionals and developers to start getting their work done even if the service endpoint is not ready or available.

For details on SOAPSimulator, see:

http://www.crosschecknet.com/SOAPSimulator_News_0408.php

Make sure to download the white paper from the link above.

SOA Testing using Parallels on MacBook Pro

2008-04-09T15:24:00.008-05:00

I have finally moved over from XP to Mac and I am loving it. Now I do have a number of applications that I will probably not migrate away from - such as the MS Office Suite that I purchased for my MacBook Pro - it works like a charm and has a number of goodies that weren't available on my XP.

I also can't live without Visio and heavily use Crosscheck Networks products, SOAPSonar and SOAPSimulator - applications that are not available natively for Mac's, however, Parallels comes to the rescue. For $79.99, Parallels Desktop 3.0 for Mac has been a great investment. It is easy-to-use, fast and the images of your Operating Systems can be moved around easily. I don't know how it compares to VMWare, but I have no complaints about Parallels, yet. I like Parallels' Full Screen Mode and Coherence Mode that lets your Windows apps appear as if they are running natively within Mac OS X Leopard.

The image above shows SOAPSonar (a .NET-based SOA Testing Application) running in Parallels on a MacBook Pro.

Service Simulation - Help Jumpstart SOA Testing

2008-04-03T17:58:00.001-05:00

Here's a paper that the folks at Crosscheck Networks have authored on how Service Simulation can accelerate your SOA Testing, Client Side Development while saving you money by eliminating the need to build an expensive "SOA Reference System."

I have seen others talk about this concept in terms of virtualization and confuse everyone - I guess using hot marketing jargon helps get attention at the expense of adding confusion. The key aspects of Service Simulation are portability and ease-of-use, without which it adds more to the project timelines than what it promises to reduce.

Here's what Service Simulation is and how it helps:

"Reusable services are the cornerstone of a successful implementation of Service Oriented Architecture (SOA). Service simulation can mimic producer services before they are implemented, an alternative to an expensive reference environment. In this paper, we cover SOA Project Lifecycle issues and how best to address them through service simulation."

For complete article, see:

Accelerate your SOA Projects Through Service Simulation

http://www.softwaremag.com/pdfs/whitepapers/Crosscheck_WP4.pdf

Better Software Magazine Cover Story: Breaking Ground on SOA

2008-03-04T13:12:00.000-05:00

SOA Testing has really become a mainstream discipline. Better Software Magazine, a publication for QA Professionals and anyone focused on Quality, published a coverpage article on Building and Testing your first Web Service.

This article will get you started on SOA Testing in no time and provide you a good overview on how web services are built and how they can be tested. It's great article to get your feet wet with SOA and SOA Testing.

You can read the full article here.

Crosscheck Networks Announces SOA Testing Tutorial at Software Quality Engineering's STAREast 2008 Conference

2008-02-25T13:14:00.000-05:00

Crosscheck Networks Announces SOA Testing Tutorial at Software Quality Engineering's STAREast 2008 Conference

SOA Testing is becoming a mature discipline. QA Professionals are now actively re-tooling themselves to adapt to web services-based SOA Testing requirements. For the second year running, Crosscheck Networks is conducting a 1-day intensive SOA Testing Tutorial. This is a hands-on class that starts off by first covering the fundamentals of web services-based SOA and then quickly goes into hands-on labs that cover functional, performance, interoperability, security, regression, automation and identity testing.

The course, hosted in Orlando on May 5, 2008 is limited to 30 attendees. To find out more, visit STAREast 2008 (http://www.sqe.com/stareast/)

Recent SOA Testing Publications

2008-02-22T15:44:00.001-05:00

Here's a list of interesting SOA Testing Articles that have been published recently:

Introduction to SOA Regression Testing: A Hands-on Approach

2008-02-19T18:32:00.001-05:00

This article published recently highlights the importance of building a sound SOA Regression framework as a part of an enterprise-wide SOA Initiative. Here's a small snippet with a link to the entire PDF document:

Regress means to go backwards. Software Regression Testing is the means of identifying unintentional errors or bugs that may have been introduced as a result of changing a program module. The program module regresses by no longer working as it used to before. Software development is an iterative process in which program modules are continually modified by teams of developers to meet changing system requirements. Typical software systems with N modules have N2 dependencies. A flaw introduced in a modified module can have significant impact across the entire system.

Link to full article: http://www.crosschecknet.com/SOA-Regression-Testing-v2.pdf

SOA Testing Article: Compress SOA Lifecycle through Development & QA Collaboration

2008-02-14T18:51:00.000-05:00

ABSTRACT:

Web services, the foundation of modern SOA, are being rolled out today in ever increasing numbers across enterprises. The key benefit of web services is reusability of services across applications in a distributed environment. Reuse is especially valuable in exposing monolithic, legacy functionality as self-contained services. With the promise of SOA and web services come also the challenges for successful implementation and testing. These challenges fall directly on the developer and QA teams to meet deadlines while also deploying a robust,
resilient and reliable SOA solution.

The challenge of building robust and reliable services within a SOA exposes age-old fissures between Development and QA: Who is really responsible for testing across distributed environments.

In this article, we will explore the gaps and recommend ways of bridging such fissures to ensure greater efficiency in developing and deploying web services-based Service Oriented Architecture.

Get the Complete Article: http://library.theserverside.com/detail/RES/1202921605_546.html

SOA Testing Tool: SOAPSonar v3.5 Released

2008-02-08T08:51:00.000-05:00

Crosscheck Networks, the leading provider of SOA Testing Tools announced General Availability of SOAPSonar v3.5 with the following significant features:

Direct Database Integration for End-to-End SOA Testing
Dynamic On-Demand Binding for abstract types
Setting of Global Policies that can assigned to Custom Test Groups
JUNIT Integration that enables SOAPSonar to leverage JUNIT framework
Direct native Java key store PKI support
Optimization techniques to parse jumbo WSDLs and Schemas

SOAPSonar has become one of the most sophisticated SOA Testing tools in the industry without sacrificing ease-of-use. We have looked at many SOA Testing tools and find SOAPSonar loaded with a tremendous breath of features and the lowest cost.

In this latest release of SOAPSonar, the part that I find really significant is the ability to do end-end-to-end testing through integration with databases. Typical web services are developed using a web services container such as BEA WebLogics, Tomcat of IBM WebSphere. The web services usually make JDBC calls to backend Databases such as MySQL, Oracle, IBM DB2. For a SOA Tester to ensure that the web services call has successfully executed requires "independently" evaluating the impact of a web services call on the database. With SOAPSonar, one can now easily set evaluation criteria that not only makes sure that the SOAP Response is evaluated for success/failure but also the state of the back-end database is evaluated to make sure that the end-to-end transaction was successful.

To download latest version of SOAPSonar, visit http://www.crosschecknet.com

SOA Testing: BEA vs. Oracle

2008-01-16T17:37:00.000-05:00

Oracle purchase of BEA for $8.5B is a strong indicator that the tech market is in a consolidation mood. I have SOA Tested both BEA WebLogics and Oracle OC4J. For details on SOA Testing both servers, see the following articles:

1) Getting Started with Message-Level Encryption on WebLogic Server 9.2

2) Amazon EC2 and Oracle SOA Suite a Strong Combo

Having SOA Tested Both Oracle OC4J and BEA webLogics extensively, here are some items that stood out:

1) Installing Oracle OC4J was easier than WebLogics.
2) The foot print of OC4J is smaller.
3) Configuring Oracle OC4J was much easier that BEA WebLogics
4) Setting security policies within OC4J was much easier than in WebLogics
5) BPEL Process Manager components were easily configurable in OC4J.
6) The documentation and examples for setting SOA Policies were more mature in OC4J.
7) The Web Services stacks are equally mature.

I expect OC4J to do really well within the BEA install base. Oracle SOA Suite is very well packaged and will be adopted by BEA customers. I love BEA's technology, however, for rapid mass adoption, Oracle has done a better job. With this acquisition, Oracle will have a better perception in the AppServer market and will be able to capitalize on this over time. But then again, there is the great Opensource market - Tomcat.

Through my SOA Testing endeavours, I found SOAPSonar from Crosscheck Networks to do a great job in exercising the web services stacks of both app servers. Other testing vendors fell short of providing the extensive testing capabilities required withing a SOA environment. For more information about SOAPSonar, visit:

Crosscheck Networks

SOA Testing saves Planet Earth

2007-12-19T11:25:00.000-05:00

Every tree counts, and every page that we don't print matters. Now we all know that organizations are changing from paper-based processes to electronic processes by using data transmission standards such as MTOM mostly as a cost saving and improved services level measure. But a great side effect that is often not reinforced is the fact that we are improving planet Earth by not cutting down trees and creating undue waste.

By enabling enterprise to rapidly deploy technologies such as MTOM, we can collectively accelerate electronic processing of documents. It's a win-win for everyone: Companies save money and improve processing efficiencies and our environment improves.

SOA Testing tools such as SOAPSonar provide a rapid way of testing your MTOM deployments. The following article will get you jump-started on using and testing MTOM in your enterprise - and perhaps save some trees:

Introduction to MTOM: A hands-on Approach

SOA Test Tools -- InfoWorld Test Center Report

2007-11-27T19:33:00.000-05:00

Rick Grehan wrote a comprehensive report titled "Clean up your SOAP-based Web services - The Test Center inspects five worthy tools for keeping your services squeaky clean." The report compares and rates commercial SOA Testing tools from the following vendors:

Crosscheck Networks
AdventNet
Mindreef
Parasoft
iTko

You can read the report at:

http://www.infoworld.com/article/07/11/26/48TC-web-services-test-tools_6.html

SOA Testing - It's gaining traction

2007-10-23T09:05:00.000-05:00

STARWEST 2007 is the premier conference for QA/Testing professionals. With over 1000 attendees focused on learning the latest testing techniques, the conference serves as a benchmark for what is relevant to the testing community.

This year, we are thrilled to see the testing community starting to focus on and learn about the nuances of modern web services-based SOA Testing. The increasing number of SOA Testing related offering at STARWEST 2007 serves as a good bechmark for the increase in relevance and activity in this area. The following talks and courses are presented this year realted to SOA Testing:

The Coming SOA Revolution: What It Means To Testers -- Frank Cohen, PushToTest

Testing SOA Applications: What’s New, What’s Not -- Brian Bryson, IBM

Ensuring Quality in Web Services -- Chris Hetzler, Appolis Software

The Art and Science of SOA Testing -- Mamoon Yunus & Rizwan Mallal, Crosscheck Networks

This is the second event where we are presenting a day long course on SOA Testing. STAREAST 2007, hosted in Orlando, FL was the first day long course offered exclusively on SOA Testing in the industry. We are on v2 of this course with more structured Labs. I hope the attendees like it more than the v1 offering at STAREAST 2007 - although an 8.9 average from 28 attendees will be tough to beat.

SOA Testing Goes Academic

2007-10-14T21:39:00.000-05:00

I came across a recent publication titled Testing in a SOA World presented at The Proceedings of the International Conference on Information Technologies (InfoTech-2007), September 21-23, 2007, Bulgaria.

Here's the Abstract:

"Abstract: Service-oriented architecture (SOA) is the latest attempt to better link the
business with technology. Testing a SOA applications become more and more complex,
as it should be continuous, not just in development and integration, but in deployment,
because an SOA by nature is never a static application. Even if each service in a SOA
application is tested thoroughly and carefully the quality of the final application may
suffer because testing is not enough after the integration of the services. This article
presents the challenges and problems that test teams experience when testing SOA
applications. It also summarizes how the testing of SOA is carried out now and gives
some ideas on further improvements."

The article provides a comprehensive overview of challenges facing the SOA Testing world. I am pleased to see the academic community getting involved in this area and hope that will innovate and produce exceptional original work in solving issues in SOA Testing. For the complete article, please see:

http://www.crosschecknet.com/soa_testing/TestingInAServiceOrientedWorld.pdf

SOA Testing Market Report -- the451group

2007-10-08T09:18:00.000-05:00

Dennis Callaghan, analyst with The 451 Group, has written a comprehensive report on the state of the SOA Testing market. You have to be a member to access the report, however, here is a snippet from Dennis' piece:

"As enterprises increasingly deploy architectures where applications share and exchange data and information as services, demand will grow for tools that test these complex service interactions – a demand that traditional developer testing tools can't really meet. And so the SOA testing tools space was born and is currently populated by existing testing vendors that have developed new products to meet the particular needs of this architecture, as well as more nimble startups looking for ways to differentiate their offerings. Many of these startups, as they grow and prove the market for their software, should become attractive acquisition targets. This remains a nascent space and there has yet to be an acquisition of an SOA-specific testing company."

To read the full report, please visit www.the451group.com for a trial membership or click here - http://www.the451.com/apply/apply.php.

Adjusting for SOA Testing

2007-08-15T15:04:00.000-05:00

SD Times recently published a good article by David S. Linthicum: Adjusting for SOA Testing. David argues that for SOA Testing, existing testing techniques and tools should not be tossed out but we need to rethink the concepts and technology behind SOA and "adjust" accordingly.

Depending on how much "adjustment" equates to a total toss out, perspectives may vary. We believe that adjusting the technology by slapping on service-orientation to testing products that were grounded in web-site testing is a severe adjustment.

How services are tested, require a clean, ground-up testing product that is built for testing services, their dependencies and re-use rather than testing web sites. The primary focus of SOA is re-use and testing tools focused on SOA need to be built with testing re-usable services in mind.

We humbly differ from David that adjusting the technology is sufficient. Tossing out web-site testing tools and adopting a SOA Testing Tool built ground-up for service testing is a better strategy that saves hours of test suite authoring for functional, performance, interoperability and vulnerability testing.

We do agree that the testing techniques need to be adjusted. One area of emphasis within SOA Testing is abstraction. Most likely, a modern SOA is built using web services with access to only a WSDL file and not the actual source code. This eliminates the ability to do White Box testing and restricts users to Blackbox or Gray Box testing. See for example: SOA Testing Tools for Black, White and Gray Box Testing.

Overall, David does a great job in bringing this discussion to everyones forethought - if quality and security are not addressed with a SOA deployment, the reuse of poor services are bound to proliferate and degrade the overall quality of a SOA.

Next Gen SOA Testing Tools: SOASOAPSonar 3.0

2007-08-06T18:18:00.000-05:00

Crosscheck Networks recently released SOAPSonar 3.0 - the next generation of SOA Testing products with a broad array of new testing features and techniques tailored for SOA Developer, Testor and QA Professionals.

Enterprise ITPlanet Staff published a review of SOAPSonar 3.0 highlighting significant product areas and features.

http://products.enterpriseitplanet.com/security/security/1184252855.html

Web Application Security Testing - The father of SOA Security Testing

2007-06-29T07:49:00.000-05:00

Watchfire, the maker of AppScan, a web application security testing with around $20M in annual revenue was acquired by IBM's Rational division for ~$100M. The exact price was not disclosed. Watchfire's competitor, SPI Dynamics, maker of WebInspect was subsequently acquired by HP. SPIDynamics had revenues of 18.5M for 2006 and was bought for ~$120M. Again the exact value of the deal was not disclosed.

What does this all mean for SOA Testing: The next logical step for HP and IBM is to extend web application testing into modern web services-based SOA testing. Although HP's acquisition of Mercury that had acquired Systinet, provides HP "SOA awareness," it makes startups like Crosscheck Networks, iTKO, and Mindreef prime candidates for a deeper relationship with such large vendors that are now poised to address SOA Testing.

SOA Magazine - On SOA Testing

2007-05-26T16:05:00.000-05:00

Thomas Erl, a thought leader and specialist of everything SOA, author of Service-Oriented Architecture: A Field Guide to Integrating XML and Web Services" and "Service-Oriented Architecture: Concepts, Technology, and Design, " - both books international bestsellers, is the Site Editor and Series Editor for The SOA Magazine, a monthly online publication provided by SOA Systems Inc. and Prentice Hall/PearsonPTR and is officially associated with the "Prentice Hall Service-Oriented Computing Series from Thomas Erl."

Watch your SOA Blind Spots is published in the latest edition of The SOA Magazine. Web services testing techniques have been around for some time. However, with the increased utilization of Web services within service-oriented solutions, the demands and complexities placed on Web services are being taken to a new level. This is in sharp contrast to traditional RPC applications and integration architectures wherein the role of Web services was typically limited to point-to-point data exchanges. Now, Web services find themselves being reused across multiple service compositions and in the midst of dynamic and sophisticated runtime service activities and chains. This article raises a series of testing issues and provides recommended techniques and remedies for establishing robust Web services-based SOA implementations...

The SOA Magazine: http://www.soamag.com/default.asp

Watch your SOA Blind Spots: http://www.soamag.com/I8/0607-2.asp

Building SOA using Microsoft SQL Server 2005

2007-04-12T06:45:00.001-05:00

Microsoft SQL Server 2005 provides one of the leading edge web services-aware Database. It is easy to install and configure and can rapidly expose a stored procedure as a web services WSDL operation. With an integrated HTTP stack, MS SQL Server 2005 does not require a separate web server like IIS.

For an overview of SQL Server SOA capabilities, see Jerry Dixon's article:

SQL Server and SODA
— Over the past year, I've been discussing some of the various technologies found inside SQL Server 2005. Three of these technologies are CLR integration, HTTP endpoints, and Service Broker. (Articles on these topics were published, respectively, in the November 2005, March 2006, and November 2006 editions of the DNDJ.) Each of these is a powerful tool in its own right, and can be used to great effect in almost any SQL installation. When used together, however, they become much more powerful.

For tutorial on setting up endpoints and exposing a stored procedure as web services operations, see Peter DeBetta's article:

New HTTP Endpoints Create SQL Server 2005 Web Services.

SOA Testing Microsoft SQL Server is simple. The WSDL generated is WS-I BP compliant and can easily be loaded into testing tools such as Crosscheck Networks SOAPSonar for Functional, Performance, Interoperability and Vulnerability Testing of the exposed endpoints.

How SOA Increases your Security Risk

2007-04-06T17:00:00.000-05:00

Bret Latamore published an interesting piece in ComputerWorld on how SOA increases your security risk. The article emphasized what I can compress as follows: Flexibility is the enemy of Security.

Anytime one works towards an open, standards-based architecture to integrate internal and external systems, people and processes, the vulnerability target for attack vectors increases quadratically with the number of nodes that are "open."

The article highlights one of the most important aspects of SOA deployment: Identity Management. With chained web services where a web services may call a number of downstream web services, identity must be carried as a part of the content within the SOAP/XML message as a SAML assertions. Within such environments, each SAML assertions validity at every node has to be established. SOA Testing such environments with Identity requirements across chained web services is complex and requires specialized SOA Testing products.

Another important point highlighted in this piece is that legitimate XML traffic within SOA deployments may inadvertently carry malware that originated upstream, but because of the chained and interdependent nature of web services, this malware now gets to a place where it never got to before in siloed environments. Such malware propagation within SOA can be prevented by infrastructure from Crossbeam and Forum Systems.

For complete article, see "How SOA Increases your Security Risk"

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9015145

STAREAST 2007: SOA Testing Tutorial

2007-04-01T17:04:00.000-05:00

STAREAST 2007, the premier software testing conference is taking place in Orland, FL on May 14-18. For the first time, a new day long SOA Testing tutorial is being offered to attendees.

SOA Testing is becoming important to QA Professional and ramping up on web services concepts such as WSDL, SOAP, XML processing is essential in deploying reliable, scalable and interoperable web services within a SOA.

We are thrilled to see the leadership exhibited by the STAREAST 2007 organizers, especially Lee Copeland in recognizing the importance of SOA Testing.

Anyone interesting in learning about SOA Testing concepts is encouraged to register and attend.

SOA + Utility Computing

2007-03-14T19:46:00.000-05:00

As Amazon EC2 exploded onto the IT scene summer 2006 with a beta "by invitation only," we were fortunate to get an account and by August 2006 start pounding on the first practical Utility Computing infrastructure that was more than a bunch of slides and marketing mumbo-jumbo.

Every astute marketing team has at some point used Utility, Grid and Virtualization in their power point slides and brochure-ware. I have been at many conferences and on many calls where I kept hearing such terms but couldn't figure out what all this hoopla was all about, I don't think the presenters knew either ;-) If I can't touch it, I don't understand it. If I can't play with it, it is just vaporware. So, I kept my eye on Grid computing but never really saw a commercial (non-academic) benefit of using grids and utility computing. As much as I am into Astronomy, I couldn't see myself ever using an academic grid to compute the Milky Ways expansion rate or some other esoteric problem.

Finally, Amazon EC2 exploded on the scene with a startling characteristic: a full web services-based provisioning interface. Starting up and terminating Linux instance is as simple as a SOAP call.

This characteristic is the most significant and disruptive aspect of the Amazon EC2 platform. All Hardware and Software product vendors take notice: Your products should be Amazon-aware for true scalability.

So we did what any geek would do, played with the EC2 platform day and night and then published a first paper on EC2: "Amazon EC2 and Oracle SOA Suite a Strong Combo" on Dr. Dobbs.

A few weeks later, SAP has taken notice. Perhaps it had something to do with the emails that we sent to 40 SAP folks about this concept. A couple of significant announcements/interviews from SAP this week:

InfoWorld: Q&A: SAP chief developer heads 'clouds'
Business Week: Opening Up to Collaboration (interview with Shai Agassi, President SAP Product Development)

We sincerely hope that large vendors such as SAP, Oracle, BEA, IBM, and Microsoft take advantage of platforms like EC2 for both their SaaS offerings as well as making their software components EC2-aware. We believe SOA Testing Tools will have a significant role to play in making SOA components run smoothly on Utility Computing Platform such as EC2.

SOA World Editorial - Getting on the Grid

2007-03-09T08:40:00.000-05:00

On Jan 14, 2007, Dr. Dobbs published an article titled Amazon EC2 and Oracle SOA Suite a Strong Combo that highlights the convergence of SOA and Utility Computing. This article highlights a move towards Hardware as a Service (HaaS) and the merits of dynamically provisioned hardware based on crossing pre-set resource thresholds (CPU, Memory, TCP Connections, etc). Excerpts from this article are as follows:

Web services-based SOA has fundamentally changed how applications integrate. Add on top of that Amazon EC2 to host your business operations, and you get a potent combination. The significant, yet unnoticed breakthrough of Amazon EC2 is in its ability to spawn up a server instance by a mere web-service call. In addition to a command line interface, EC2 provides a detailed provisioning WSDL that can be used by any web-services application to dynamically control (e.g., run, terminate, authorize) Linux instances within the Amazon Cloud.... components which run business applications can also control dynamic provisioning and maintenance of the very physical infrastructure that they are deployed on. With Amazon EC2, for the first time, SOA components are aware of and in control of their host machines and can clone new instances of themselves based on environmental factors such as user load, available resources and cost.

On March 7, 2007, Ajax World Magazine Sean Rhody, Editor-in-Chief of SOA World Magazine, echoed our sentiments with a superb piece, SOA World Editorial — Getting on the Grid. It is always gratifying to see industry luminaries such as Sean see things in the same light. I liked the new term Sean uses, SOI: Service Oriented Infrastructure. Here are some excerpts from the article, it's a must read:

Grid computing, with the ability to bring capacity on line and to bear on a problem as needed provides another stunning opportunity to move from traditional means of operation to a service platform. Bringing CPUs to bear on a problem in a dynamic fashion, assigning additional network capacity to deal with peak loads, and allocating private connections on the fly in response to security needs are just a few of the capabilities that infrastructure vendors are building into their hardware and operating software.

Great minds do think alike - Kudos to Sean for appreciating and writing about the inevitable convergence of SOA & Utility computing and its impact on SOA Testing.

Intro to SOAP Headers in C#

2007-03-04T17:03:00.000-05:00

Let's learn how to manipulate SOAP Headers in .NET C# with a simple web service producer-consumer example. .NET Framework SDK provides a sample producer that receives a SOAP Request with Header information, gets a handle on the Header and returns information from the Header as a part of the SOAP Response. To get familiar with manipulating SOAP Headers let's walk you through the steps on loading this in Web Matrix.

Get familiar with building simple web services in .NET. See Building and Testing your First Web Service in .NET
Download the C# SOAP Header sample from here.
Start a web services project in ASP .NET Web Matrix and copy the sample C# SOAP Header code from Step 2 above into the editor. See figure below.
Hit the save button and then the start button. This will bring up the browser with the service description. The WSDL file will be available at a location similar to http://localhost:9090/SOAPHeaders.asmx?WSDL (depending on your port setting and .asmx file name in Web Matrix). See Step 1 example.
You can now load the WSDL is a SOA Testing Tool that is SOAP Header aware. SOAPSonar is one such flexible SOA Testing Tool that you can download from Crosscheck Networks.
Load the WSDL into SOAPSonar. The parsed WSDL shown below has a header and a body inputs. Entering values for the Headers and Body results in a SOAP response from the SecureMethod.

Testing SOAP Headers requires test tools to properly parse WSDL and generate input fields for the SOAP Headers. SOAPSonar enables developers and testers to do this easily. With full SOAP Header control, you can now build authentication, routing, audit, and security schemes right into the header. It is strongly advised that standards-based header content is used and customization for header be restricted for maximum interoperability.

SOA Consolidation

2007-02-24T19:18:00.000-05:00

Reactivity was purchased by Cisco for a cool $135MM, making it the largest acquisition in the SOA space. DataPower (aquired by IBM for ~$105MM and Systinet (acquired by Mercury for ~$102MM) were the other >$100MM acquisitions. Other smaller ones include Sarvega (acquired by Intel for ~$40MM), Conformative (acquired by Intel for ~$32MM), Infravio (acquired by webMethods for ~$38MM) pretty much consolidated the space leaving Forum Systems, Layer7, SOA Software and Amberpoint as the independent private companies. Further consolidation is inevitable.

The second wave of SOA Infrastructure startups in underway. Andrew Nash, CTO of Reactivity, started a company focused on XML identity. Sonoa Systems is the Next Gen XML Infrastructure Company still in stealth mode and is funded by SAP Ventures, Norwest Ventures, and Bay Partners.

Ofcourse, all XML/SOA infrastructure companies will require extensive SOA Testing to make their products enterprise ready. They will have to deal with the extensive web services/XML standards such as WS-Security, its profiles such as User Name, X.509, Kerberos, SAML tokens as well as SOAP signatures and encryption. Starting XML/SOA infrastructure companies from scratch will enable such new startups to build ground up on relatively newer and useful standards such as WS-Policy, WS-SecureConversation, etc. The second cycle will be shorter with exits taking 3-4 years unlike the 5+ years needed by the 1st wave of SOA consolidations.

For an interesting interview on Sonoa by Eric Knorr, see this video clip.

Testing SOA Applications: App Labs Article

2007-02-17T09:42:00.000-05:00

AppLabs Technologies is a Sequoia Funded testing company based in Hyderabad, India. AppLabs services encompass Functional, Performance, and Quality Testing with a distinctive SOA Testing focus. They published a good article on Approach to SOA Testing Applications. This article does a great job on detailing issues associated with Functional and Performance Testing.

On functional testing, it points out that most testing tools are focused on unit testing and are incapable of building composite interdependent tests across technology platforms, languages and systems.

On the performance testing front, this article takes the position that:

"Once the appropriate performance scenarios have been defined, multiple test tools/techniques are required because of the presence of different platforms and technologies. During test execution, monitoring application performance and collating data would be a challenge since there is no “one stop shop” tool which gives insight into the overall big picture."

Although obtaining a composite functional & performance picture may require source code access to figure out root bottlenecks, in modern, web services-based SOAs, the atomic web service "producer" API is what is being tested for performance characteristics. The web service operation internals are a black box operation that may internally call other web services. If all dependent contracts are advertised and available to a SOA Tester, then overall big picture performance characteristics are readily available from existing SOA Testing Tools.

The visibility does stop at the WSDL API level that is provided to the SOA Tester however. For more detailed view into performance and functional characteristics, white box testing is required. This may not be feasible with the proliferation of SaaS. The next closest view into functional and performance characteristics of a web service may be obtained through Grey Box testing. See SOA Testing using Black, White, & Gray Box Techniques for details.

With the proliferation of web services-based SOA within Enterprises and SMBs, AppLabs is focused on the right space and is positioned to capitalize on the increasing testing needs of complex SOA deployments.

Testing SOA Applications and Services

2007-02-13T17:07:00.000-05:00

Mercury/HP published a good article on SOA Testing highlighting some facets of "non-GUI" testing. Mercury solution seems to address Functional and Performance testing for SOA deployments. These 2 aspects of web services-based SOA testing are part of the 4 pillars of SOA testing necessary for comprehensive SOA test coverage. Interoperability and Vulnerability testing form the other two necessary Pillars of SOA Testing.

One of the features that stands out is Mecury's "stub-simulation" capability that allows testers to simulate services to build test suites without requiring access to the target production system.

For complete article, see Testing SOA Applications and Services (registration required).

Watch your SOA Testing Blind Spots

2007-02-05T19:40:00.000-05:00

This latest article by Crosscheck Networks' R&D team highlights various common SOA Blind Spots that SOA testers experience in real-life deployments.

The Blind Spots and remedies focus on the following areas:

Performance
Security
SOAP Attachments
WSDL
Interoperability

For these 5 areas of SOA Testing, the article describes how to identify common SOA blind spots and techniques for avoiding them.

The full article (PDF), can be downloaded here: Watch your SOA Testing Blind Spots

Mashup Camp, MIT

2007-01-18T21:14:00.000-05:00

I enjoyed attending a few sessions at Mashup Camp. Overall, there is significant innovation and electricity around what the Mashup community is putting together. I enjoyed Jinesh Varia's (Amazon) presentation on building your own YouTube (iTube!). The use case involved uploading-> storing(S3)-> queuing(SQS)-> processing(EC2)-> hosting(ECS)-> Filtering(MTurk)-> Searching(perhaps Hadoop on EC2) video/images. The use case was intriguing since it logically and convincingly utilized parts of the Amazon Infrastructure. This highlights the point in my earlier blog that the cost of innovation is dramatically lower and even when scalability is required, the cost will align with specific computation & storage needs.

I also enjoyed looking at Mashups developed by LignUp, VOIP-SOA company. LignUp provides a comprehensive platform for controlling and integrating VOIP traffic within an enterprise network. The use case that I found most intriguing is having voice tied into CRM systems. This would give a fuller picture on communication between a company and its customers beyond just email archives.

I bumped into Julio Burgo from Carmun, a web portal for students to share and store academic research papers. I love their tag line: "Students of the world Unite!"

For a list of all the attendees, see Mashup Attendees.

Amazon EC2 and Oracle SOA Suite a Strong Combo

2007-01-14T19:53:00.000-05:00

With Mashup Camp (Boston) right around the corner, I was happy to see Dr. Dobbs Journal publish an article that I have collaborated on with David Shaffer, Sr. Director Product Mgmt, Oracle Integration and Rizwan Mallal, from Crosscheck Networks, R&D. The article is written to drive home an important set of shifts that are a result of Amazon's Utility Compute Platforms, EC2, S3, SDS, etc. and it's intersection with web services products such as Oracle SOA Suite 10g.

In this article, we focused on how the Oracle SOA Suite can be used beyond its conventional business process role and more as a core SOA infrastructure traffic management platform for content-based routing, load balancing and fail over type functions for Amazon EC2 Linux instances.

http://www.ddj.com/dept/webservices/196900803

Prediction: In the next 2-3 years, perhaps sooner, Amazon EC2 in combination with SOA Suites will cause a fundamental shift in corporate computing. Also, EC2 & SOA will unleash unprecedented low cost innovation where startups will get off the ground with far lower capital than that required in the pre-Amazon and pre-web services era.

Web Services Testing SugarCRM

2007-01-11T20:34:00.000-05:00

SugarCRM is cost-effective, powerful and flexible open source CRM system built on PHP and MySQL Database. Its a great CRM system for cost-conscious companies that need a solid CRM platform. At $40/user/month for a hosted On-Demand offering, its priced for the frugal.

Besides its great CRM functionality and reasonable pricing, what I really like about SugarCRM is its extensive web services API. This enables the SugarCRM platform to be easily integrated with the IT ecosystem that is increasingly becoming web services aware.

If you a have a web site portal that captures customer registration information, and you'd like to integrate that with a Leads Capture Mechanism, I highly recommend that you consider SugarCRM. Its SOAP API makes the integration process between your web portal and the SugarCRM Leads Module simple. The fields in the Leads Module are highly customizable and all your customized fields are available via the SOAP API as well.

For a Quick Start on SugarCRM Web Services Functionality, see the following article:

Getting Started with SugarCRM Web Services using SOAPSonar

RadView's PdM & Dev blog: SOA closing the gap between functional and performance testing

2007-01-08T08:23:00.000-05:00

The following blog by the Radview Product Management team shows how quickly companies are adapting to SOA requirements. I think they have clearly identified customer needs both from a testing and traffic management perspective. With their products becoming web services aware, Radview will meet customer needs for web services testing.

RadView's PdM & Dev blog: SOA closing the gap between functional and performance testing

NuSOAP: An easy to use SOAP Stack for PHP

2006-12-27T17:41:00.000-05:00

If you need to make your PHP-based application make SOAP calls into an application with a WSDL-based interface, consider using NuSOAP. It is simple to use and will get you up and running within minutes. The best part is that you dont have to install any new PHP Extensions. All you have to do is to download and unzip the NuSOAP files in your PHP-enabled web server and you are ready to go.

A couple of good resources for getting started with NuSOAP are:

1. NuSOAP Home.
2. Introduction to NuSOAP.

JavaWorld: Naked Web services

2006-12-21T09:04:00.000-05:00

JavaWorld published a piece titled "Are your Web Services Naked or Covered?" I co-authored this article to highlight the impact of exception handling techniqes on web services-based SOA. You will learn exception handling constructs that ensure your web services do not leak sensitive information to the consumer.

"Bottom line: For externally facing web services exposed to a large number of public consumers, only recoverable exceptions should be communicated. All other exceptions should be controlled, cleansed, or suppressed."

http://www.javaworld.com/javaworld/jw-12-2006/jw-1220-wsexcept.html

Building & Testing your first Web Service using .NET

2006-12-10T19:45:00.000-05:00

Alright - it this takes more than ten minutes for you to do, then I will change the instructions and try to simplify things so that you can build & test your first web service in less than 10 minutes. The over all steps are as follows:

1. Download and install .NET WebMatrix.

2. Goto: Start > All Programs > Microsoft ASP .NET Web Matrix > ASP .NET Web Matrix.

3. You will be prompted for with a screen shown below. Fill in the information as shown. Select "Web Services" in the left panel and the "Simple" template in the right panel. I created a C:\WebServices folder to store the .asmx file and picked C#.

3. This will auto-generate a web service for you with the following code:

4. Hit the play button in the IDE and it will prompt you for the start the web application on port 9090. Make sure your local firewall is turned off.

5. A web browser with operation Add will appear. You can click this and start playing with your first web services.

Within 5 simple steps, you should have successfully setup a web services.

Note: Web Matrix cannot be accessed remotely so all your testing has to be local. For remote accessibility you can deploy your web services file (MathWS.asmx) on an IIS server.

SOA testing and building is as easy as 1,2,3 -- and 4, 5 :-)

Oracle BPEL Process Manager

2006-11-22T17:46:00.000-05:00

The following article published in SOA Web Services Journal provides a good glimpse into interoperability issues between Microsoft .NET WCF and Oracle BPEL Process manager. It highlights a couple of interesting items:

1. WS-Addressing is required for endpoint representation especially for long running transactions where the server invokes a callback to the client for sending the response once the processing is complete. Oracle BPEL Process Manager supports a different version on WS-Addressing than Microsoft .NET WCF. So out-of-the-box, the WS-Addressing will not work. Luckily, Oracle BPEL Process Manager supports WS-BPEL extensions (bpelx:headerVariable) that provides the BPEL process access to header information sent by the client. With a handle on header information, the BPEL process manager can manipulate WS-Addressing information and ensure that the the Process executes and that the call-back is compliant with what the .NET WCF client is expecting.

2. When a server is WS-Security enabled and is expecting a User Name Token, an X.509 token, or a SAML assertion in the SOAP Header, the BPEL Process Manager can again use WS-BPEL extensions such as (bplex:inputHeaderVariable) to stuff SOAP Headers with tokens before invoking an endpoint that expects this information.

Really Cool Stuff!

Web Services and SOA
— People sometimes ask what a service-oriented architecture enables today that could not have been done with the older, proprietary integration stacks of the past 5 to 15 years, such as those from Tibco, IBM, or Vitria. One such ability is the greater degree of interoperability between heterogeneous technology stacks that is made possible by the standards SOA is built on, such as Web services and BPEL. Although interoperability is only one facet of the SOA value proposition, it is one that has become increasingly more important, due in large part to the evolving IT environment, merger and acquisition activity, and increased partner connectivity.

CSI 33 Orlando

2006-11-08T14:37:00.000-05:00

I like the fact that Orlando Airport offers a free wireless connection and that I am able to make this blog entry in front of Terminal 73 while I wait for my flight back to Boston.

CSI 33 is a Computer Security Conference where security professional gather to stay current with IT security related issues. This is my second CSI and just by the attendance at my talk, I can see the rapidly increasing interest amongst Security Professional in testing, discovering and remediating SOA security related issues. CSI 33 had an entire Web Service Track with four sessions around SOA Security and Threat related issues. I chose to present under the Attacks and Countermeasures track and was pleasantly surprised that the room was almost packed for an early morning session. I was also impressed by the level of questions coming in from the audience. One individual from Salesforce.com was focused on security issues for the web services based AppExchange interface with over 400 third party applications developed against their API.

More so than ever, I believe that Web Services & SOA security is something security professionals are not just aware of, but now see as their responsibility. Security Professionals are making great strides in understanding the nuances of web services security and how it is a logical extension of their domain given that they are already dealing with application security issues within HTTP(S), HTML, Cookies and the HTTP header in general. Now they have to go deeper in the SOAP packets and make sure that the back end systems are tested and secured for SOAP-borne vulnerabilities.

BEA WebLogic 9.2: Testing SOAP Encryption

2006-11-01T10:32:00.000-05:00

One of the most powerful capabilities of application servers such as BEA's new WebLogic 9.2 is message-level security. Such features make WebLogic a natural component for a SOA deployment.

In the article, posted on BEA's dev2dev.bea.com website, the message level encryption capabilities of WebLogic are explored and a step-by-step guide is provided from downloading the server to setting up you first policy.

http://dev2dev.bea.com/pub/a/2006/10/message-level-encryption.html

Give WLS 9.2 a spin, its simple, easy and powerful.

Load Testing Web Services

2006-10-29T17:07:00.000-05:00

Syscon September Edition of SOA Web Services Journal has a number of good pieces on web services testing. I found Load Testing Web Services interesting, especially in its description of important parameters in Load Testing web services.

Load Testing Metrics and Parameters
The results obtained by load testing Web Services can potentially be reflected in terms of the following parameters.

Response time: It's the most important parameter to reflect the quality of a Web Service. Response time is the total time it takes after the client sends a request till it gets a response. This includes the time the message remains in transit on the network, which can't be measured exclusively by any load-testing tool. So we're restricted to testing Web Services deployed on a local machine. The result will be a graph measuring the average response time against the number of virtual users.
Number of transactions passed/failed: This parameter simply shows the total number of transactions passed or failed.
Throughput: It's measured in bytes and represents the amount of data that the virtual users receive from the server at any given second. We can compare this graph to the response-time graph to see how the throughput affects transaction performance.
Load size: The number of concurrent virtual users trying to access the Web Service at any particular instance in an interval of time.
CPU utilization: The amount of CPU time used by the Web Service while processing the request.
Memory utilization: The amount of memory used by the Web Service while processing the request.
Wait Time (Average Latency): The time it takes from when a request is sent until the first byte is received.

We have deployed WS-SOA Gateways at many locations worldwide, and most of the deployments are 1-u Appliances with dual CPUs and crypto accelerators. Most of the load requirements center around message sizes. I have yet to see a deployment that comes close to harnessing the 1000-2000 TPS capacity of appliances when small to mid size documents are invovled ranging from 1K-100K. Where things get interesting is in the > 2G range of SOAP Attachments. In such deployments we typically see the back end application server croak on such documents once the gateway has processed it and given it a clean bill of health. And by the way, only at one deployment, did number of concurrent users even matter. Web Services are typically used for Application-to-Application communication where 1000's of concurrent connections are unnecessary, unlike in B-to-C deployments.

What's even more interesting is the lack of SOA Testing Tools that can handle such large documents without choking. Of course you can always write your own testing scripts or propose to do so if you are in the consulting business ;-)

ChoicePay: Rising above the SOA Testing Challenge

2006-10-19T11:29:00.000-05:00

Recently, Salman Akhtar, CEO Techlogix, published a good case study regarding SOA Testing Challenges and how ChoicePay, an electronic billing company, overcame these challenges "without throwing more bodies at the problem."

The article, published by SOA /WS Journal is a good read for anyone concerned about SOA Tesing:

http://webservices.sys-con.com/read/284568.htm

Web Services Testing NetWeaver Application Server, Java EE 5 Edition

2006-10-16T09:06:00.000-05:00

SAP has recently released one of the first Java EE 5 compliant application servers. I tested this server's web services capabilities and found it to be easy to use. SAP NetWeaver Application Server, Java EE 5 Edition install contains the application server, the NetWeaver DeveloperStudio and MaxDB database. My biggest challenge was installation, but SAP Developer Network (SDN) came to the rescue and after my installation was complete, I was off to the races.

Details of the evaluation are published on TheServerSide.com.

You can also see details of the installation and test process at:

http://www.crosschecknet.com/web_services_testing_tools_sap_netweaver.php

Give NetWeaver Application Server a spin - you'll be publishing web services in no time.

How to use Amazon EC2 WSDL

2006-10-02T15:54:00.000-05:00

If you are interested in testing the Amazon EC2 WSDL API as well as the S3 WSDL interface, you can go to the URL below for details on how to setup SOAPSonar, a web services testing tool by Crosscheck Networks.

Loading up X.509 certificates in SOAP headers for authentication to Amazon EC2 is the most interesting part of this article.

http://www.crosschecknet.com/web_services_testing_tools_amazon_ec2.php

Amazon EC2 and S3 SOAP API

2006-09-22T16:00:00.000-05:00

For the SOAP/WSDL-types out there thinking of building mashups, you can use SOAPSonar Enterprise Edition from Crosscheck Networks for using and testing the EC2 and S3 WSDL APIs simultaneously. SOAPSonar handles X.509 Certificates and easily communicates with both S3 and EC2.

I used SOAPSonar for cleaning up my buckets that were populated with image files from EC2.

Floating through the Amazon Elastic Compute Cloud

2006-09-21T22:23:00.000-05:00

I have been at it again - OCD. My friend "lent" me his AWS account and I have been obsessively experimenting with Amazon's Elastic Compute Cloud or EC2. You can provision a Linux instance in a few minutes by choosing from Amazon's default image menu -- which I see growing, or you can build your own private image by either modifying a default image or build a brand new image on your Linux machine.

I love the fact that I can organize a bunch on different images on Amazon Simple Storage Service (S3) and provision a machine whenever I need to.

My QA team is responsible for testing our SOA/WebServices Gateway with a number of integration points such as Identity Server (LDAP, AD, SiteMinder, ClearTrust, TAM) for Web Service Authentication and Authorization, Database Servers (MySQL, Oracle, DB2, etc.) for Archiving and a number of App/Web Servers (Apache, WebLogic, WebSphere, etc.). And all of this across different versions.

Needless to say, our testing infrastructure is large, complex and expensive. It is going to save us a "crap" load of time & money by storing images on S3 and provisioning the "required" images when needed. I can hear the silence of all those sever fans in our labs now. The noise reduction itself is worth a premium.

And when my Field Engineers have to demonstrate how well our product (Forum Sentry) integrates with the IT assets in a corporate ecosystem, all they have to do is instantiate the clean, tuned, tested components imaged on S3. No more running around the day before trying to install WebSphere, or TAM. I will pay to see someone install some of these components on their demo laptops within a day.

Next steps -- using EC2 WSDL API along with the S3 WSDL API.

Stay tuned, my OCD stems from the thrill of being able to start 10 instance of MySQL with one command (ec2-run-instances).

Amazon S3 - Penetrating Enterprise Backup Market

2006-09-10T20:29:00.000-05:00

Amazon S3 (Simple Storage Service) is a virtual vault where one can store personal or corporate information. It is doing well with developers focused on building storage applications for personal use. I have a hard time backing up stuff and have had problems with my USB storage devices, so browser based applications like S3Fox seems really attractive.

I think S3 is great for enterprise backup. However, Amazon will have to figure out an SLA that gives enterprises the same comfort like the Iron Mountain folks give Fortune 500 companies. Fortune 500 companies readily turn in their back up tapes to Iron Mountain, but hesitate when you talk about data backup using S3.

Amazon should look into building a physical offering (software or appliance) that acts as a staging area and is deployed within the enterprise with an option of asynchronously uploading information to S3. The SLA boundary would then be around the appliance and the S3 service.

Or perhaps Amazon should partner with IBM and build a plug-in for their back up tapes that now include encryption.

Why is SOA Testing Crucial?

2006-09-02T14:15:00.000-05:00

After spending over 7 years working with XML-based messaging, I am really pleased to see that large vendors such as SAP, IBM, Oracle, BEA and Microsoft all expose their interfaces via WSDLs. This makes is easy for IT assets such as application servers, Databases, ESBs, Proxy servers, and Enterprise Applications to seamlessly work within a Service Oriented Architecture.

I have been on the road lately visiting my customers and reviewing their SOA deployments. SOAP-based messaging is getting deployed everywhere. WSDLs are being exchanged between trading partners and integrating with other systems in now easier than ever. One customer in particular has over 40 WSDLs with dozens of operations per WSDL. Their architecture is elegant with a SOA Gateway from Forum Systems and a BPEL engine from Active Endpoints. However, their SOA testing models are rudimentary using pre-SOA tools such as Mercury Interactive's QTP.

The ease of integration in a distributed and heterogeneous infrastructure puts tremendous burdens on the SOA Tester. Within a SOA, operations are heavily dependent on other operations that may be hosted by a services provider such as Amazon AWS. A SOA Tester has to build complex regression suites that test base operations as well as operations dependent on base operations. Such regression suites can get complex and need specialized techniques that keep SOA interoperability, security and reliability in mind.

I am happy to see larger commercial and public entities using web services to develop modern SOA. Now I hope that as web service deployments mature, SOA Testing techniques are shared and formalized to give modern system-to-system integration the necessary reliability, scalability and interoperability.