Database Reference
In-Depth Information
this is definitely a positive thing), but you should perform peer reviews and parti-
cipate in testing at all levels. Frankly, this is not news; please refer to Thomas
Erl's topic, Service-Oriented Architecture (SOA): Concepts, Technology, and
Design , where you find SOA architect's role laid across a whole project's lifespan.
• With no magic pill available to mend all security issues at the end of the project,
an SOA architect should work hand in hand with a security specialist and be fa-
miliar with the current trends in risks, vulnerabilities, and attack types. OWASP
( http://www.owasp.org ) is definitely one of the best places to go, and all our fur-
ther analysis will be based on the classification proposed by this project.
• We have already mentioned one common security design rule generally associ-
ated with encryption and digital signature—algorithms are widely open, keys
(private of course) are utterly protected. This statement not only stresses the ne-
cessity of rigorous testing of a security's crucial elements but also denotes the
considerable risk associated with having something custom-built (in-house) as the
central part of your security infrastructure. The security is probably the one (very
conservative) area of IT where having your own private opinion could be an ex-
pensive luxury indeed.
You don't have to build everything from scratch. There are plenty of appropriate tools and
libraries and you, as an architect, should just put them (or apply the patterns) in the right
place. Again, a good starting point could be to maintain OWASP's terms and terminology
within your team—the common understanding of spoofing, surreptitious forwarding,
stack smashing, and so on. For the same reason, we will just follow the already proposed
classification, avoiding unnecessary reinvention.
Tip
To illustrate the risks of having a poor understanding of security design, a highly respect-
able IT company, and pioneer in event processing and BPMN, participated in CTU's RFI
process. Lacking the COTS market-proven security solution, this company proposed a
custom package, developed for other customers over several years. The proprietary Secur-
ity Perimeter was proposed to the completely stunned architects where scans for the
threatening content was executed after authentication. Further still, the scanner itself was
based on the standard XML parser. Having said that, in this chapter, we will not present
you with the custom solution as we did before for ESB and adapters. Instead, we will talk
about the API Gateway, a relatively new Oracle strategic product capable of covering five
out of eight common SOA security patterns.
Search WWH ::




Custom Search