My last day at my job for the past 13 years is coming up this Thursday (7/3). I have spent the last couple of weeks writing a document describing everything I have learned about SOA over the past two years so that I can leave some knowledge behind. When I got to the chapter on security, I was surprised to find how little information there was on the web as compared to most SOA topics. As I dug deeper I realized that what was missing was blog posts from practitioners. Nearly the entire Google result set for SOA security was links to vendor information, industry analysts, or authors. Where are all of the bloggers on this topic?
This concerns me. I wonder if IT in general is underestimating the need for more security when it comes to SOA. Security in SOA is much more complex then what we were used to in the world of client server. Improperly secured SOA is a hackers dream!
Check out this quick white board video on ZDNet
SOA Security risks
- SOA exposes your legacy applications to the outside world
- SOA uses, WSDL, XML, and SOAP to allow services to be discoverable and self-describing. These are human readable in ASCII and can give away the keys to the kingdom if the proper security is not in place.
- Integration presents numerous challenges including single sign-on, privacy, encryption, etc. at the message level.
Of all the research that I have done recently, I recommend two sources of research. First is the book SOA Security by Ramarao Kanneganti and Prasad A. Chodavarapu. This is an outstanding book that uses simple examples to get key points across. You don't have to be a security guru to read this book. Second is spend some time at the OWASP website and make sure you design for the Top Ten threats.
To all you EA and SOA bloggers out there, let's start a conversation about SOA security. There seemed to be discussions in the previous years but for whatever reason it has becoming very quiet in 2008. Security should be built in upfront and not an after thought that you take care of later.