Undertanding XML Gateways

The Washington Post published an interesting article highlighting security vulnerabilities in XML. The article titled XML Flaws are pervasive reinforces the need for XML Gateways such as Forum Sentry as a line of defense beyond what is provided by classic IP firewalls.

Also, for pre-production or post-production XML/SOAP-based services, using SOA Testing products such as Crosscheck Networks SOAPSonar provides extensive Security Testing to identity XML-related flaws. Once identified, the remediation strategy can involve:

• code-refactoring that can have a serious cost and production up-time impact
• deploying XML Gateways with general a application specific XML protection policies

Time and cost savings aside, using XML Gateways to protect XML Flaws, as highlighted by the Washington Post article, has a significant architectural advantage of decoupling application business logic from application security.

SOAPSonar vs. SOAPUI

Here's an interesting article that talks about SOAPSonar vs. SOAPUI.

SOAPUI vs. SOAPSonar

SOAPSonar has been dominant in the SOA Testing space and is the only product that provides comprehensive SOA Testing across Functional, Performance, Interoperability and Security domains. Crosscheck Networks, the provider of SOAPSonar, recently acquired Forum Systems. With this acquisition, Crosscheck Networks now provides a wide array of integrated product offerings that comprehensively covers services life cycle across building, testing and securing SOA deployments.

Here's another article that highlights why a testing tool that is commercially built is better suited for SOA Testing: Limits of Open source SOA Testing tools.

How-to test SAML tokens

SAML tokens are often used with XML and SOAP messages for identity related functions. Typically an XML Gateway, such as Forum Sentry, or an application server such as SAP Application Server consume or generate SAML artifacts for Authentication and Authorization or carrying Attribute information from the sender.

For testing SOA deployments that use SAML tokens, SOAPSonar from Crosscheck Networks provides all the provisions required to dynamically construct and send SAML tokens within a web services invocation. The configuration screen for the SAML tokens that supports both SAML 1.1 and SAML 2.0 provides the flexibility to set:

1. Issuer
   


2. Name Identifier (emailAddress, unspecified, entity, kerberos, persistent, transient, unspecified, X509SubjectName)


3. Confirmation Method (bearer, holder-of-key, sender-vouches)


4. Statement Type (Authorization, Authentication, Attribute)


5. Dynamic Time Stamps, Time-to-Live, Include Not-Before, Include, Not-After


6. Signatures

Issuing a valid SAML token requires time-related elements that have to be dynamically generated for each request. Timestamps, TTL, Not-Before, Not-After elements and attributes provide a temporal aspect to SAML assertions that have to be properly enforced by the services endpoint (server, or gateway) and have to be fully tested using dynamic tools such as SOAPSonar. It is also recommended that the integrity of the SAML assertion be maintained through signatures on the assertion. This signature has to be properly generated by the client (SOAPSonar for testing) and properly verified by the service endpoint.

A trial enterprise version of SOAPSonar can be downloaded here.

Intro to SOA Regression Testing: A Hands-on Approach

Here's a hands-on approach to SOA-based Regression Testing using XML/Web Services that is useful for developers and SOA QA professionals who want to ensure that the rapid pace of changes made to web services do not degrade the quality of their services.

Intro to SOA Regression Testing: A Hands-on Approach

In this article, techniques for SOA Regression Testing through a hands-on approach are described with a walk through of:

• Setting up a simple web services consumer (client) and producer (server) environment.
• Establishing an external MS Excel data source for driving test scenarios.
• Recording an acceptable base-line run.
• Simulating regression by changing producer service.
• Re-running external test data and identify producer service regression.

This article was initially published on Code Project by Crosscheck Networks, Inc.

SOA Security Testing - XML Gateways

SOA/XML Gateways are a secure bridge that integrate enterprises with their trading partners while ensuring that the information flow upholds the tenants of information assurance: privacy (encryption), integrity (signatures and schemas) and traceability (audit and archive). SOA Testing XML Gateways requires significant functional depth across security attributes (SSL, WS-Encryption, WS-Signatures), identity facets (SAML, WS-UserName, WS-X.509, WS-Kerberos), structural tests (Schema and Schematron) as well as message exchange patterns based on XML, SOAP, and REST.

Forum Sentry is one such XML Gateway with significant differentiating emphasis on security. Jason Macy, VP Engineer and CTO at Forum Systems recently recorded an informative webcast highlighting the security for XML Gateways. Once such Gateways are deployed, using comprehensive SOA Testing products such as SOAPSonar is essential to ensure that the gateway is operating as expected.

• For more information on SOA Testing Techniques, click here.
• For more information on XML Gateways, click here.

SOA Build, Test and Secure Paradigm

With the recent Crosscheck Networks' acquisition of Forum Systems, the SOA/XML landscape continues to trend towards market consolidation.  Enterprises now expect well-integrated products that help IT professionals across Web Service Life cycle and not just pre- or post- production alone.  

• For building web services, consumers need to get their client-side code developed even before the services are ready.  This is where service simulation becomes critical.  
• On the flip side, developers and testers of service providers (service endpoints) need to iteratively test the functional, performance and security characteristics of such services.  
• Once the service endpoints are ready to go, an intermediate XML Gateway needs to be deployed to protect the endpoints.

Through well integrated products such as SOAPSonar, SOAPSimualtor and Forum Sentry, Crosscheck Networks and its wholly-owned subsidiary, Forum Systems, provide compreshensive Web Service Build, Test and Secure functionality for Industrial Web Services Deployments.

SOA Tips: Transaction Monitoring

Recently, I had a great conversation with Jack Vaughan on transaction traceability and monitoring with SOA. He graciously published some of our talking points under SOA Advisor, a useful section under SearchSOA.com that provides actionable tips on a variety of SOA, XML, and Web Services related topics including SOA Testing.

To see SOA Tips, see:

http://searchsoa.techtarget.com/tips/index/0,289482,sid26_tax309147,00.html

SOA Testing and Simulation of HL7 v3 messages using Schematrons

In my discussions with engineers at Crosscheck Networks, I have come across an interesting use case in the health care industry where HL7 v3 - an ANSI health care standard modeling clinical, administrative, pharmacy, medical devices and imaging domains - is being deployed by the Dutch Government. The Dutch government's aggressive health care initiative in building a nationwide Health Information Broker (HIB) can serve as a good model for the current US Administration that is considering transforming US health care through nationwide electronic medical records (EMR) as one of its key policy initiatives.

In the Dutch health care technology infrastructure - based on Web Services enabled HL7 v3 specification - message exchanges take place between Health Information Systems via a HIB that maintains the necessary relationships between health care parties. The HIB is an intelligent message intermediary between entities involved in health care including providers, payers and pharmacies. The HIB ensures high quality and validity of health care information that reduces errors caused by manual information processing.

Crosscheck Networks SOAPSimulator and SOAPSonar are an integral part of the HIB to the extent that health care parties can only tie into the HIB if they meet message viability requirements set and enforced by Crosscheck SOAPSimulator at the HIB. The HL7 v3 message exchange criteria is set at the semantic level as well as the transmission level. With sophisticated use of standards such as WS-I Basic Profiles and Schematrons, custom health care semantic requirements and message transmission requirements are addressed.

Schematron assertions and rules provide a flexible way of capturing business domain specific rules that a message must meet for the message to be valid. This improves message interoperability between health care parties. Schmatrons enable business rules that can then be enforced on the HL7 v3 messages flowing through the Dutch HIB. SOAPSimulator is deployed as the message validity enforcer for HL7 v3 messages. As new health care parities get ready to integrate with the Dutch HIB, they must first satisfy the rules set in SOAPSimulator via Schematrons that check the correctness and validity of the HL7 v3 request and responses. Such checks serve as a pre-requsite for production-level integration and reduce interoperability issues between health care parties.

Figure 1: Configuring Schematron 1.5 Criteria Rules for HL7 v3 in SOAPSimulator

Figure 2: Configuring ISO Schematron Criteria Rules for HL7 v3 in SOAPSimulator

In addition to checking against Schematrons, SOAPSimulator checks against a number of additional criteria to ensure that the right identity and security constructs are being used in the message requests.

References:

1) Implementing Web Services in Dutch Health
2) Electronic Medical Records and Obama's Economic Plan
3) http://www.hl7.org/
4) Web Service Enablement of HL7 v3
5) An Introduction to Schematron
6) Crosscheck Networks SOAPSonar and SOAPSimulator

Web Services Simulation

What should you do in your web services project when you're ready to start building your web services client, but your producer services is not ready? The answer is simple: Use Web Service Simulation. The obvious advantages of Service Simulation are as follows:

• Reduce Overall development time by making simulated services available before they are built.
• Tell the client whether it's sending the right messages to the service. For example, the service may be expecting a SAML token and the body of the message has to be signed. A service simulator can ensure that the client (consumer) is indeed following such requirements even before the producer services are built.

Here's a whitepaper that provides details on how to use service simulation to shorten your SOA projects while making your service invocations cleaner and more interoperable.

Accelerate your SOA Projects through Service Simulation

The consequences of overlooking SOA testing blind spots

Colleen Frye, News Writer for SearchSoftwareQuality.com published a valuable article on the consequences of overlooking SOA Testing Blindspots. Rizwan Mallal, quoted in this article, highlights a couple of solid technical points:

1. HTTP 200 codes, although important in web site testing, are insufficient for web services testing that requires deeper content inspection to decide whether a request-response pair is successful.
2. Simply sending the same message over and over again is Performance Testing is incorrect and flawed. Most endpoints enforce security that requires message uniqueness and detect for message replay-type attacks. Most testing tools that started as web application testing tools lack web services testing features and are inadequate for SOA Testing.

SOAPSonar from Crosscheck Networks, unlike other products in the industry is built ground-up for SOA/Web Service Testing and has all the XML, SOAP, WSDL, WS-Security, WS-Trust, MTOM type standards that are inherently available for functional, performance, interoperability and security testing with a very simple to use user interface that doesn't require an army of consultants to install and configure. Plus Crosscheck provides a Personal Edition of the product for free.

For a detailed article on SOA Testing Blindspots see: Watch your SOA Testing Blindspots

SOA Testing and Governance through WSDL Report Cards

Are all WSDLs created equal? SOAPSonar 4.0 by Crosscheck Networks bring this age-old question from the metaphysical domain to the emperical domain by providing an easy-to-use report card.

Based on configurable governance rules, Developers and QA professional can now live in relative harmony by reviewing WSDL report cards during the SOA Lifecycle.

For detail on WSDL Report Cards, read the following article published by Rich Seeley, SearchSOA:

WSDL gets a Report Card

http://searchsoa.techtarget.com/news/article/0,289142,sid26_gci1329141,00.html#

Hardware-based SOA Testing

Crosscheck Networks released an industry-first, hardware-based SOA Testing by intergrating SOAPSonar with Smart Cards produced by A.E.T. Europe B.V.

SOA Testing for signatures, encryption, decryption, and X.509 client authentication is now seamlessly provided within the SOAPSonar testing framework. SOAPSonar provides the ability to use keys from a SmartCard to perform digital signatures, encryption, decryption, and SSL X509 mutual authentication. SOAPSonar provides a native integration with A.E.T SafeSign Client software to dynamically access the digital keying information on the card.

For details, see: http://www.soatesting.com/2008/08/smartcard-testing-for-soap-and-web.html

Webinar on SOA Governance using Service Simulation

On Wedneday, July 30 (11:00 am EST), Crosscheck Networks is scheduled to present a webinar on Design-Time SOA Governance using Service Simulation which basically means that you can mimic a web service before it is ready. Design-Time SOA Governance serves a number of key uses such as:

1) Web Service developers can start building consumer applications before the producer services are ready. SOA Testers can build their test suites even before the producer services are ready, thereby compressing the SOA Project Lifecycle.

2) Producer Service Developers can provide a portable serivce simulation with requirements that the consumers have to meet before consumer applications are allowed to invoke the producer services. The requirement can include message formats, security and identity standards expected by the producer services. Additional Business-level requirement can also be simulated such that for certain requests, a pre-set response is returned. Enabling a library of anticiapted request-response pairs for a service ensures that consumers can build robust applications before the services are available.

3) Generating WSDL report cards is essential in measuring the relative quality of WSDLs within a SOA deployment.

For details about the webinar, visit:

https://www1.gotomeeting.com/register/653854184

Techniques in Attacking and Defending SOA Web Serivces

I am excited to co-host the first of a new series of webinars launched by Crosscheck Networks and Forum Systems on Techniques in Attacking and Defending SOA Web Services. If you are interested in SOA, SOA Gateways, SOA Governance and Security, SOA Testing, XML Firewalls, SOAP,XML, WSDLs, SQL Injection, Denial of Serivice Attacks, and SOA Identity please consider attending the webinar.

Title: Techniques in Attacking and Defending SOA Web Services.
Date: June 19, 2008 (Thursday).
Time: 1:00 pm Eastern.
To register: https://www1.gotomeeting.com/register/503736495

We are excited to see the level of interest and enthusiasm in this Webinar Series and look forward to exhibiting Attack and Defense techniques is SOA deployments.

SOA Testing Consolidation: Green Hat Software acquires Solstice Software

Green Hat Software, a London, UK-based SOA Testing company has acquired Solstice Software a Delaware, US-based SOA Testing company. The consolidation in the SOA Testing space is expected as larger companies add SOA Testing to their portfolio of SOA products. Although this is a private-to-private merger/acquisition, it's a good move that will give the combined companies European and North America coverage and will help them to effectively compete against established SOA Testing players such as Parasoft, Crosscheck Networks, iTKO and Mindreef.

HP and IBM have been touting SOA Testing products, however, they lack the functionality, maturity and and install-base within SOA Testing space. HP "SOA Testing" approach comes from a registry-based (Systinet acquisition) and web site testing approach (Mercury acquisition), whereas IBM's SOA Testing approach comes from its Rational UML modelling division. Both HP and IBM have yet to become serious contender is the SOA Testing space.

http://www.ebizq.net/news/9657.html?rss

SOA Testing considerations for SOA Gateways

SOA Testing touches a number of components within the IT Ecosystems including SOA Gateways. Since a SOA Gateway is usually deployed close to the corporate edge, rigorous SOA Testing ensures that traffic ingressing and egressing an enterprise are clean, secured and valid -backend systems should be able to parse them easily once the SOA Gateway has giving its stamp of approval about the quality of the message.

Download Paper (registration required):
SOA Gateways: Best Practices,Benefits & Requirements

This article published by Forum Systems - the pioneer of SOA Gateways - covers deployment best practices, benefits and requirements with a focus on service virtualization, message privacy and integrity, and message control and auditing. It will help the reader frame SOA Testing scenarios necessary for SOA Gateways.

"A SOA Gateway is a core infrastructure component of a SOA with the ability to integrate XML/SOAP-based services securely. Typically deployed as a hardware appliance, a SOA Gateway seamlessly controls access to services, protects information through data-level encryption, ensures the integrity of a message through signatures, and controls information flow."

New SOA Testing Tutorial Labs introduced at STAREAST 2008

STAREAST 2008 - the "Greatest Software Testing Conference On Earth" - is taking place May 5-9, 2009 is Orlando Florida. I had the pleasure of the first, day-long SOA Testing conference back in 2006 with the Crosscheck Networks' team. This year, the team will conduct their signature day-long tutorial: "The Art and Science of SOA Testing" with a set of hands-on Labs that cover topics such as:

• SOA Functional Testing
• Operation Chaining
• SOA Identity Testing
• SOA Performance Testing
• SOA Interop Testing
• Automation through external Data Sources
• SOA Regression Testing

As the SOA Testing industry matures, this tutorial continue to align its material and labs to provide attendees a solid grounding in what aspects of SOA Testing are essential for a successful SOA deployment.

Crosscheck Networks Announces New Product: SOAPSimulator

Crosscheck Networks, the company that pioneered comprehensive SOA Testing through its product, SOAPSonar, has now launched a new "paradigm-shifting" product: SOAPSimulator that enables QA professionals and developers to start getting their work done even if the service endpoint is not ready or available.

For details on SOAPSimulator, see:

http://www.crosschecknet.com/SOAPSimulator_News_0408.php

Make sure to download the white paper from the link above.

SOA Testing using Parallels on MacBook Pro

I have finally moved over from XP to Mac and I am loving it. Now I do have a number of applications that I will probably not migrate away from - such as the MS Office Suite that I purchased for my MacBook Pro - it works like a charm and has a number of goodies that weren't available on my XP.

I also can't live without Visio and heavily use Crosscheck Networks products, SOAPSonar and SOAPSimulator - applications that are not available natively for Mac's, however, Parallels comes to the rescue. For $79.99, Parallels Desktop 3.0 for Mac has been a great investment. It is easy-to-use, fast and the images of your Operating Systems can be moved around easily. I don't know how it compares to VMWare, but I have no complaints about Parallels, yet. I like Parallels' Full Screen Mode and Coherence Mode that lets your Windows apps appear as if they are running natively within Mac OS X Leopard.

The image above shows SOAPSonar (a .NET-based SOA Testing Application) running in Parallels on a MacBook Pro.

Service Simulation - Help Jumpstart SOA Testing

Here's a paper that the folks at Crosscheck Networks have authored on how Service Simulation can accelerate your SOA Testing, Client Side Development while saving you money by eliminating the need to build an expensive "SOA Reference System."

I have seen others talk about this concept in terms of virtualization and confuse everyone - I guess using hot marketing jargon helps get attention at the expense of adding confusion. The key aspects of Service Simulation are portability and ease-of-use, without which it adds more to the project timelines than what it promises to reduce.

Here's what Service Simulation is and how it helps:

"Reusable services are the cornerstone of a successful implementation of Service Oriented Architecture (SOA). Service simulation can mimic producer services before they are implemented, an alternative to an expensive reference environment. In this paper, we cover SOA Project Lifecycle issues and how best to address them through service simulation."

For complete article, see:

Accelerate your SOA Projects Through Service Simulation

http://www.softwaremag.com/pdfs/whitepapers/Crosscheck_WP4.pdf