Security

The Threat Behind the Firewall

Sat, 12 Sep 2009 18:30:00 EDT

I had a different name for this blog entry but just ‘Jump Drive’ is an awful blog title. They go by many names; jump drive, USB drive, flash drive, memory stick and a few others, but removable media is a serious threat to IT organizations. Graduating from floppy disks, as early as 2003 articles were warning against the possible threats introduced with these devices – 256Mb for $160 back then – and yet we still see some sort of incident reported almost once a week! From consultants, to government employees, to Mortgage lenders, to the International Space Station, what used to be a giveaway staple at trade shows, these tiny less-than-two-inch drives can hit and hurt you in a multitude of ways.

The Neglected Flipside of SOA Security

Tue, 08 Sep 2009 13:00:00 EDT

Joe McKendrick kicks off a thread on the current state of SOA Security. As usual, most discussion of SOA Security applies to "how SOA can be made secure". This is understandable. And, as some commentators have pointed out, there is a body of Best Practice out there on how to secure services in an SOA. For example, Randy Heffner provides lots of good advice on how to secure the services in an SOA)

Navigating the SOA Security Waters

Mon, 09 Mar 2009 10:15:00 EDT

You don't have to be a chief information officer to realize that security is becoming a corporate concern as more business is transacted on the Web. The mounting fears are well founded. Web attacks are growing in sophistication. Data is flowing faster and to more applications and more users. New Web development models, such as Web 2.0 and AJAX, are appearing.

Four Reasons Why Data Security Strategies Fail

Mon, 10 Nov 2008 13:08:00 EST

There are many reasons why a data security strategy could self-destruct, not the least of which is a new breed of highly motivated data thieves who stand to make a considerable profit on customer and other sensitive information in data centers. We're often so mired with putting out data security and compliance fires that we don't have time to step back and look at the high-level issues that could have prevented many of those fires from igniting in the first place.

Layer 7 Technologies Expands SOA Into Belgian Market

Wed, 28 May 2008 15:30:00 EDT

Layer 7 Technologies announced its go-to-market partnership with Steria Benelux. Steria will act as a channel partner for Layer 7's SOA gateway products in Belgium to offer leading SOA security, governance solutions and support to its current and prospective customers.

SOA World - SOA SDLC: On-Demand

Thu, 22 May 2008 08:00:00 EDT

Spending time with my parents over the holidays got me thinking about the differences between this generation and the previous one. My parents expect to spend a certain amount of time and effort managing certain aspects of their lives. For example, when they drive to an unfamiliar vacation spot, they inquire about directions and even write or plot the route before they head out. Whereas for me, it is a matter of popping out an iPhone or a GPS device, saving time, improving accuracy, and avoiding the mistakes of manually drafting the directions.

Testing Process Orchestrations Based on the BPEL Standard

Mon, 05 May 2008 18:00:00 EDT

Composite applications are made up of discreet services that have been tried and proven reliable, but building an orchestration that incorporates services that come from several sources, some of them outside of the company, could introduce testing hazards beyond just bad output. For example, let's say that your business has a process that includes activities to run a credit check with an external credit agency or to schedule a package delivery with an external shipping service.

Is SOA Ready to Move from the Whiteboards and into Production IT?

Mon, 20 Aug 2007 08:45:00 EDT

Is SOA ready to move from the whiteboards and into production IT? As you might have guessed, the answer remains a disappointing sort of. The issue comes down to tools and infrastructure, and the fact that only some SOA components are mature and easy to source.

Security in a SOA

Sat, 14 Apr 2007 16:15:00 EDT

As the name suggests, a Service Oriented Architecture is one where application functionality is packaged as autonomous services that adhere to industry standard interfaces (WSDL, SOAP), and the services are then deployed in an IT architecture that makes for their most effective use. The component services can be rapidly reused and composited, plugged and played as it were, to create new business offerings and they can be individually upgraded for increased business agility. However, to achieve the promise of a SOA it's imperative that critical non-business logic-related functionality, the foremost of which is security, should also be provided and used as a service. And for this to occur it has to be externalized, accessed, and managed independently from the business logic-related services.

SOA Access Control Policy Management

Thu, 19 Oct 2006 13:15:00 EDT

When SOAP-based Web Services solutions began appearing five years ago, one of the major challenges was securely propagating end-user identity in Web Service chaining scenarios. Certainly a user could authenticate to a portal, and that portal could talk to a Web Service that talks to another Web Service that talks to another Web Service (and so on), but the big question was - how could each point in the Web Service chain be assured who the requesting end user really was?

Build Management Is Critical to Developing an SOA Enterprise

Mon, 16 Oct 2006 12:00:00 EDT

Developing under a Service Oriented Architecture (SOA) is different from traditional development. A large set of business changes will now be funneled through a relatively small number of enterprise services. An inefficient or bad build system can impact a greater number of business changes. As services are exposed to more consumers and so to more potential threats having a robust and secure development environment is more important than ever. Centralized role-based control of builds and reporting of build activities is critical for incorporating a greater number of changes and managing the security and auditability of Web Services.

Creating Secure Web Service Sessions

Thu, 10 Aug 2006 12:45:00 EDT

Over the past five years, the promise of enterprise information sharing has made great strides with the evolution of Web Services and the promise of Service Oriented Architectures (SOA). An architectural shift that moves us away from point-to-point client/server systems.

McAfee's Foundstone Professional Services to Launch Free Web Service Tools

Thu, 15 Jun 2006 11:00:00 EDT

McAfee the leading dedicated security company, announced that Foundstone Professional Services will launch a series of free tools that teach developers, programmers, architects and security professionals how to create more secure software. The tools will also review the root causes of increasingly prolific crimes such as e-shoplifting, session hi-jacking and identity theft.

WS Security Performance

Mon, 17 Apr 2006 11:15:00 EDT

The WS Secure Conversation specification describes a mechanism letting multiple parties establish a context (using the WS Trust Request Security Token standard) and secure subsequent SOAP exchanges. Each WS Secure Conversation session has an associated shared secret. Instead of using this shared secret directly to sign and encrypt the conversation's messages, symmetric keys are derived from the secret itself. Deriving new keys for each message and different keys for signature and encryption limits the amount of data that an attacker can analyze in attempting to compromise the context.

SOA Security

Sat, 03 Dec 2005 20:30:00 EST

As organizations move to service-oriented architecture (SOA), security becomes one of the key concerns impacting deployment. After all, a company's most sensitive information is frequently stored in the business systems that are now being accessed by the Web services employed within an SOA. As such, security concerns have become part of the enterprise decision-making process relating to the adoption of a SOA.

Forum Systems Touts Web Security

Sun, 19 Jun 2005 21:00:00 EDT

'The best approach to selecting the optimal Web services security solution is to assess the needs to be met and then to identify a solution that best fits those needs, precisely and affordably,' according to Forum Systems. Key to this approach is the avoidance of one-size-fits-all solutions that may be over-engineered to underperform.

Solve Your Application Security Issues

Thu, 02 Dec 2004 00:00:00 EST

I'm sure I'm like many of you in this respect: I got into engineering because I love the idea of being able to address complex problems with a combination of my talent, my friends' talent, and the tools that I can come up with to make our work as easy as possible (work smart not hard!). It is this approach that has guided me in my work as an application and technical architect.

Web Services + the Grid = Prime Time

Thu, 28 Oct 2004 00:00:00 EDT

Web services and the Grid are converging! The prospect of grid-based, commodity computers delivering run anywhere, anytime Web services across the Internet has hype-o-meters showing a speedy rise and marketing departments gearing up everywhere.

Opinion: Web Services Security Hype

Fri, 01 Oct 2004 00:00:00 EDT

According to the latest Web services 'hype cycle' from Gartner, both Web services security standards and the deployment of Web services with security are rushing headlong into the dreaded 'Trough of Disillusionment.' This means that the greatest levels of hype in these areas are supposedly behind us and the reality of just what can and cannot be done is collectively dawning on us.

Beyond XML Firewalling

Tue, 03 Aug 2004 00:00:00 EDT

Traditional development produces applications that are closed to wide usage. Custom development is required to open these programs to wide-scale integration. In contrast, Web services applications are by default open to other systems and additional configuration is required to block access.

Web Security Provider RSA Announces New Products and Partnerships

Wed, 28 Jul 2004 00:00:00 EDT

With increasing Web-based transactions, the need for secure communications between applications increases.

Beyond XML Firewalling

Fri, 09 Jul 2004 00:00:00 EDT

Who's Master of Your Domain?

Fri, 04 Jun 2004 00:00:00 EDT

W.C. Fields once said, 'The practice of keyhole-listening is usually confined to hotels and boarding houses. It is absolutely indefensible to stoop so low. If the transom is not ajar, remember there are plenty of other rooms in the building.' Hackers on the Web can take a similarly cavalier attitude - surfing from site to site until they find one whose 'transoms are ajar.' The question for you is whether yours are among them.

Enterprise Web Services Security: A Reference Architecture, part II

Mon, 08 Mar 2004 00:00:00 EST

Last month (WSJ, Vol. 4, issue 2), we looked at how Web services should not depend on specific security environments and rules but should be managed as part of all of an enterprise's corporate data assets such as Web applications, ERP systems, and in-house applications.

Advanced Web Services Security and Microsoft WSE

Mon, 08 Mar 2004 00:00:00 EST

As we move from the 'Hello World' days of Web services toward development that can truly support the enterprise, there are some advanced functional requirements for Web services, including secure messaging, reliable messaging, and Web service policies. Since interoperability is the 'Holy Grail' of XML and Web services, we must maintain this interoperability while supporting such advanced Web service functionalities.

Securing Your Enterprise Web Services in a Suspicious World

Fri, 05 Mar 2004 00:00:00 EST

Deploying XML Web services in the enterprise has many compelling advantages. Web services provide a powerful foundation for building loosely coupled distributed applications and service-oriented architectures (SOAs). Enterprises use Web services to lower the integration cost of business-to-business solutions, allowing partners to share business documents without custom coding.

Overcoming the Web Services Insecurity Complex

Mon, 27 Oct 2003 00:00:00 EST

Once merely so much hype, Web services are finally taking root in corporate IT. However, as organizations grow their Web services from pilots to internal integration projects to extra-enterprise deployments, they face a tangle of new security challenges.

A Strategy for Securing Web Services

Mon, 24 Feb 2003 00:00:00 EST

Security is not a new concern for companies that want to protect key information and systems from unauthorized access. Protection from such attacks has traditionally been achieved by placing those systems in a tightly controlled intranet accessed through a hardware firewall, possibly over secure TCP/IP connections. However, as more information and functionality are made available over the Web and distributed computing begins to cross corporate Internet boundaries, these mechanisms are no longer adequate. In addition, new concerns arise as a result of distributed computing and transacting business over the Web.

Secure Web Services

Mon, 23 Sep 2002 00:00:00 EDT

Businesses need to provide their users with a method for securely connecting to their networks while minimizing the costs associated with providing this service - and also providing end users with as much convenience as possible.

Securing Web Services

Fri, 01 Mar 2002 00:00:00 EST

The actual definition of a Web service is a matter of some debate because the world of Web services can extend from small closed networks to global discovery services implemented using UDDI (Universal Description, Discovery, and Integration). But at a practical implementation level it is useful to think of a Web service as any software service that can be defined using WSDL (Web Services Description Language) and which uses SOAP for communication between a requester and a listener. This communication uses SOAP as the enveloping protocol.

Beyond the Hype… the Reality of Web Services Adoption

Fri, 01 Mar 2002 00:00:00 EST

Web services have enormous promise, but not a single company today is yet fully tapping their potential. Indeed, early adopters are experimenting through carefully controlled pilots that take advantage of the evolutionary nature of the technology, and CIOs and IT organizations - fatigued by yet another 'new new thing' - are adopting a show-me attitude that requires Web services companies to prove that their offering works...and will create measurable value.

Making Second-Generation Web Services Secure

Fri, 01 Mar 2002 00:00:00 EST

When you hear the word security, what comes to mind? SSL? Firewalls? Authentication? Authorization? B-52 bombers? Security means different things to different people, but in the context of securing applications, we can think of security in two parts: access control and secure communication.