Is SOA testing tough enough?

Improved efficiency, new services, access to legacy apps - the advantages of service-oriented architecture seem endless. But there is a catch, says Fran Howarth. The little question of security.

Service-oriented architecture (SOA) represents a huge shift in the way we approach computing. It's a business methodology more than a technological approach and lets organisations get more from existing systems.

An SOA is more efficient because it calls up just those parts of applications required to perform a service, rather than loading the entire application. It also allows functional components of different applications to be combined in innovative ways to develop new services.

Exclusive column: The Naked CIO

See what this CIO really thinks…

The Naked CIO: Madness in the method

The Naked CIO: Process not bureaucracy

The Naked CIO: Is open source dead?

The Naked CIO: Unequal opportunities

The Naked CIO: The true cost of IT

The Naked CIO: Crunch time for large projects

The Naked CIO: Boardroom stereotypes

The Naked CIO: IT staff disloyalty

The Naked CIO: Cut the bull

But there is a downside. An SOA can also increase security problems. Each software component must be authenticated when it is accessed.

If this does not happen, it's all too easy for some outsider to inject a piece of rogue code into the request, contaminating a whole business process.

Another security weakness is that many organisations are SOA-enabling legacy applications as well as the new software that they are developing. This approach potentially exposes existing applications over open networks.

These legacy applications were never designed to be accessed in this manner and so lack a security model to address external threats.

Commissioned by Fortify Software, Quocirca recently conducted a survey across Germany, the UK and US to assess the take-up of SOA. Almost three-fifths of respondents are implementing a large-scale SOA, including web-enabling existing applications.

But just 10 per cent are following a policy of excluding legacy applications from their SOA deployments.

The survey highlights some interesting differences between countries. Among German organisations, 76 per cent are implementing an SOA that web-enables existing applications as well as new services-based functionality, while just 16 per cent have not yet started down the route to an SOA at all.

Yet in the UK just 34 per cent of organisations have implemented a full SOA, including legacy applications, while 50 per cent have still to implement an SOA.

In terms of overall security, German organisations take the most proactive security stance among respondents and are the most advanced in terms of building security into the software applications that they develop.

UK respondents, on the other hand, are the least likely to test applications for security using static code analysis tools and reusable models for defining the levels of security required for particular applications.

These tools are useful in automating traditional code reviews and uncovering possible security issues so that they can be dealt with before the application or service is allowed into the main run-time environment.

The survey reveals some concerning issues. Closer analysis shows that across all three countries, less than half of organisations are using testing tools such as static code analysis when deploying a full SOA that exposes legacy applications.

When individual countries are analysed, just 26 per cent of German organisations implementing full SOA deployments are using these tools.

That figure runs counter to the high-level findings that appear to show German organisations as more security conscious. In the UK, 70 per cent of those deploying an SOA use such testing tools.

So the findings suggest many organisations among the frontrunners in SOA adoption appear to be following a risky strategy. It is a clear wake-up call for those organisations that are exposing legacy applications over open networks.

A new breed of hackers has emerged recently who attack organisations for financial gain and specifically hunt for vulnerabilities in applications exposed over the internet.

The bottom line is that an SOA is something that must be effectively policed. Security should never be an afterthought.

Organisations need to define a clear champion for the security of all SOA deployments, making that person also ultimately responsible for ensuring that only thoroughly tested applications with built-in security processes that have been thoroughly tested for security weaknesses are exposed via open networks.

As the survey shows, SOA implementations are occurring in large numbers - but this could be the next big security story on the horizon, unless organisations start to clearly assess the security risks and vulnerabilities of web-enabling older, potentially less secure applications.

Quocirca's report Why Application Security is Crucial is available free for download here.

A leading user-facing analyst house known for its focus on the big picture, Quocirca is made up of a team of experts in technology and its business implications. The team includes Clive Longbottom, Bob Tarzey, Rob Bamforth, Dennis Szubert, Louella Fernandes and Fran Howarth. Their series of columns for silicon.com seeks to demystify the latest jargon and business thinking. For a full summary of the consultancy's activities, see www.quocirca.com.