Emerging Technologies: How to secure new products


This article can also be found in the Premium Editorial Download "Information Security magazine: CISO survival guide: 18 of the best security tips."

Download it now to read this article plus other related content.

Web Services (continued)

Requires Free Membership to View

  • Bake security into development. Security must function as a design partner not solely as an auditor. Involve security early and often in the SOA software development lifecycle. Since developers have historically viewed security as an impediment, be proactive, presenting cost- and time-savers such as reusable security services.

    For example, browser-based single sign-on using SAML enables better, faster, cheaper authentication services that can span multiple application boundaries.

    Offer expertise through threat-modeling services to help define the security requirements for the project, and provide security and QA testing.

  • Look beyond the center. IT security must embrace decentralized security architectures, as SOA pushes data and decision-making out to the edges of organizations.

    The architectural problem is how to enforce security policy consistently on distributed endpoints and intermediaries you probably don't control and/or can't continually audit.

    These may include adding semi-autonomous remote branch offices, agents working from home, and outsourced development and business processes. Security architecture for services such as authentication, authorization and auditing must embrace this new order.

  • Get the message. SOA is an XML message document-oriented way of organizing systems. In traditional IT security, the server authenticates and authorizes the client based on the request. However, under SOA integration, the message document contains the information the service provider--not a single central server--requires to perform authentication and authorization.

    The security architecture must reflect this; it's the single biggest mind-set shift for many IT security organizations.

    This model requires IT security to be agile in collaborating with business goals, because it relies less on hard physical boundaries and auditing every intermediary endpoint.

    The messages are protected with encryption, digital signatures and content validation whether or not they are in use in Amsterdam, Sydney or Rome.
Focus enterprise security on design and implemen-tation for reusable message security mechanisms like signing and encryption that enable wide interoperability through open standards, such as WS-Security and SAML (See "SOA: Built on Standards"). Since these are not trivial to develop, specialized tools such as XML security gateways (See "Message Mediators") have emerged.

This was first published in July 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: