Comment Article
Straight Talking – Is SOA testing tough enough?
Improved efficiency, new services, access to
legacy apps - the advantages of service-oriented
architecture seem endless. But there is a catch.
The little question of security.
Service-oriented architecture (SOA) represents a
huge shift in the way we approach computing.
It's a business methodology more than a
technological approach and lets organisations get
more from existing systems.
An SOA is more efficient because it calls up just
those parts of applications required to perform a
service, rather than loading the entire
application. It also allows functional components
of different applications to be combined in
innovative ways to develop new services.
But there is a downside. An SOA can also
increase security problems. Each software
component must be authenticated when it is
accessed.
If this does not happen, it's all too easy for some
outsider to inject a piece of rogue code into the
request, contaminating a whole business
process.
Another security weakness is that many
organisations are SOA-enabling legacy
applications as well as the new software that
they are developing. This approach potentially
exposes existing applications over open
networks.
These legacy applications were never designed
to be accessed in this manner and so lack a
security model to address external threats.
Commissioned by Fortify Software, Quocirca
recently conducted a survey across Germany,
the UK and US to assess the take-up of SOA.
Almost three-fifths of respondents are
implementing a large-scale SOA, including web-
enabling existing applications.
© 2008 Quocirca Ltd http://www.quocirca.com
By Fran Howarth, Principal Analyst, Quocirca Ltd
But just 10 per cent are following a policy of
excluding legacy applications from their SOA
deployments.
The survey highlights some interesting
differences between countries. Among German
organisations, 76 per cent are implementing an
SOA that web-enables existing applications as
well as new services-based functionality, while
just 16 per cent have not yet started down the
route to an SOA at all.
Yet in the UK just 34 per cent of organisations
have implemented a full SOA, including legacy
applications, while 50 per cent have still to
implement an SOA.
In terms of overall security, German
organisations take the most proactive security
stance among respondents and are the most
advanced in terms of building security into the
software applications that they develop.
UK respondents, on the other hand, are the least
likely to test applications for security using static
code analysis tools and reusable models for
defining the levels of security required for
particular applications.
These tools are useful in automating traditional
code reviews and uncovering possible security
issues so that they can be dealt with before the
application or service is allowed into the main
run-time environment.
The survey reveals some concerning issues.
Closer analysis shows that across all three
countries, less than half of organisations are
using testing tools such as static code analysis
when deploying a full SOA that exposes legacy
applications.
When individual countries are analysed, just 26
per cent of German organisations implementing
full SOA deployments are using these tools.
That figure runs counter to the high-level
findings that appear to show German
organisations as more security conscious. In the
+44 118 948 3360
 Comment Article
UK, 70 per cent of those deploying an SOA use
such testing tools.

So the findings suggest many organisations

among the frontrunners in SOA adoption appear
to be following a risky strategy. It is a clear
wake-up call for those organisations that are
exposing legacy applications over open
networks.

A new breed of hackers has emerged recently

who attack organisations for financial gain and
specifically hunt for vulnerabilities in applications
exposed over the internet.

The bottom line is that an SOA is something that

must be effectively policed. Security should
never be an afterthought.

Organisations need to define a clear champion

for the security of all SOA deployments, making
that person also ultimately responsible for
ensuring that only thoroughly tested applications
with built-in security processes that have been
thoroughly tested for security weaknesses are
exposed via open networks.

As the survey shows, SOA implementations are

occurring in large numbers - but this could be
the next big security story on the horizon, unless
organisations start to clearly assess the security
risks and vulnerabilities of web-enabling older,
potentially less secure applications.

Quocirca's report Why Application Security is

Crucial is available free for download here.

© 2008 Quocirca Ltd http://www.quocirca.com +44 118 948 3360

 Comment Article

About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology
and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the
views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-
world practitioners with first hand experience of ITC delivery who continuously research and track the industry
and its real usage in the markets.

Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and
political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in
any implementation. This capability to uncover and report back on the end-user perceptions in the market enables
Quocirca to advise on the realities of technology adoption, not the promises.

Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC
has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s
mission is to help organisations improve their success rate in process enablement through better levels of
understanding and the adoption of the correct technologies at the correct time.

Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC
products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of
long term investment trends, providing invaluable information for the whole of the ITC community.

Quocirca works with global and local providers of ITC products and services to help them deliver on the promise
that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, Dell, T-Mobile, Vodafone, EMC,
Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist
firms.

Details of Quocirca’s work and the services it offers can be found at

http://www.quocirca.com

© 2008 Quocirca Ltd http://www.quocirca.com +44 118 948 3360