Is Soa Testing Tough Enough?

  • May 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Is Soa Testing Tough Enough? as PDF for free.

More details

  • Words: 1,049
  • Pages: 3
Comment Article Straight Talking – Is SOA testing tough enough? By Fran Howarth, Principal Analyst, Quocirca Ltd

Improved efficiency, new services, access to legacy apps - the advantages of service-oriented architecture seem endless. But there is a catch. The little question of security. Service-oriented architecture (SOA) represents a huge shift in the way we approach computing. It's a business methodology more than a technological approach and lets organisations get more from existing systems. An SOA is more efficient because it calls up just those parts of applications required to perform a service, rather than loading the entire application. It also allows functional components of different applications to be combined in innovative ways to develop new services. But there is a downside. An SOA can also increase security problems. Each software component must be authenticated when it is accessed. If this does not happen, it's all too easy for some outsider to inject a piece of rogue code into the request, contaminating a whole business process. Another security weakness is that many organisations are SOA-enabling legacy applications as well as the new software that they are developing. This approach potentially exposes existing applications over open networks. These legacy applications were never designed to be accessed in this manner and so lack a security model to address external threats. Commissioned by Fortify Software, Quocirca recently conducted a survey across Germany, the UK and US to assess the take-up of SOA. Almost three-fifths of respondents are implementing a large-scale SOA, including webenabling existing applications.

But just 10 per cent are following a policy of excluding legacy applications from their SOA deployments. The survey highlights some interesting differences between countries. Among German organisations, 76 per cent are implementing an SOA that web-enables existing applications as well as new services-based functionality, while just 16 per cent have not yet started down the route to an SOA at all. Yet in the UK just 34 per cent of organisations have implemented a full SOA, including legacy applications, while 50 per cent have still to implement an SOA. In terms of overall security, German organisations take the most proactive security stance among respondents and are the most advanced in terms of building security into the software applications that they develop. UK respondents, on the other hand, are the least likely to test applications for security using static code analysis tools and reusable models for defining the levels of security required for particular applications. These tools are useful in automating traditional code reviews and uncovering possible security issues so that they can be dealt with before the application or service is allowed into the main run-time environment. The survey reveals some concerning issues. Closer analysis shows that across all three countries, less than half of organisations are using testing tools such as static code analysis when deploying a full SOA that exposes legacy applications. When individual countries are analysed, just 26 per cent of German organisations implementing full SOA deployments are using these tools. That figure runs counter to the high-level findings that appear to show German organisations as more security conscious. In the

© 2008 Quocirca Ltd

http://www.quocirca.com

+44 118 948 3360

Comment Article UK, 70 per cent of those deploying an SOA use such testing tools. So the findings suggest many organisations among the frontrunners in SOA adoption appear to be following a risky strategy. It is a clear wake-up call for those organisations that are exposing legacy applications over open networks. A new breed of hackers has emerged recently who attack organisations for financial gain and specifically hunt for vulnerabilities in applications exposed over the internet. The bottom line is that an SOA is something that must be effectively policed. Security should never be an afterthought. Organisations need to define a clear champion for the security of all SOA deployments, making that person also ultimately responsible for ensuring that only thoroughly tested applications with built-in security processes that have been thoroughly tested for security weaknesses are exposed via open networks. As the survey shows, SOA implementations are occurring in large numbers - but this could be the next big security story on the horizon, unless organisations start to clearly assess the security risks and vulnerabilities of web-enabling older, potentially less secure applications. Quocirca's report Why Application Security is Crucial is available free for download here.

© 2008 Quocirca Ltd

http://www.quocirca.com

+44 118 948 3360

Comment Article

About Quocirca Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of realworld practitioners with first hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to advise on the realities of technology adoption, not the promises. Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, Dell, T-Mobile, Vodafone, EMC, Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist firms.

Details of Quocirca’s work and the services it offers can be found at http://www.quocirca.com

© 2008 Quocirca Ltd

http://www.quocirca.com

+44 118 948 3360

Related Documents

Mama When Is Enough, Enough?
December 2019 19
Being Young Is Tough
November 2019 12
English Is Tough Stuff
April 2020 4
Eight Is Enough 050507
November 2019 24
Eight Is Enough 063007
November 2019 16