XML Web services need a firewall

Application security in the node or network

Building application security into the specific application node that implements a given business system has some fundamental limitations. It's hard to:

• Add to legacy code and packaged applications
• Implement and maintain consistent policies across all nodes
• Prove that a given security policy has been implemented

Implementing application security in the network infrastructure addresses these limitations. An XML application firewall is an example of such a network infrastructure.

Initiatives aimed at building application security into the business system node have often included:

• Post-development security reviews of the design and source code
• Training for developers
• Improved development tools

While these initiatives are productive and should be continued, they do not address the full range of requirements. Organisations have generally found it difficult and inefficient to build in security after the fact. The issues are the same as when trying to build in quality after the fact. It is an established principal of software engineering management that the later in the development process a change is made, the more costly the change will be and the more likely that it will have unintended consequences. Therefore, even though an after-the-fact security review is an extremely valuable assessment tool, it does not work as a primary mechanism to achieve application security.

In general, better training and management of developers is extremely valuable. However, this approach does not address the full need. In practice, deployed environments always contain applications that were built under varying development procedures by varying teams at various times. Therefore, better training for the current in-house team does not provide the breadth and consistency of coverage required.

Similarly, capabilities such as encryption libraries and connections to authentication authorities, that are built in to a single development environment or runtime application server are insufficient to meet an organisation's full security needs. While those capabilities would then be available to developers writing new code for a given application server or development environment, they do not address legacy or packaged applications that do not use those tools.

Furthermore, simply providing an underlying mechanism isn't enough. It was still being left to the developer to write code that provided the logic that determined for a given combination of operations, service requests, and message content which specific security mechanism should be used.

For example, it's useful to have libraries built in to an application server for producing XML encryption and SSL encryption. However, that is only half the battle. You still need logic that determines whether or not encryption should be used, and, if so, what type of encryption, which key should be used, where to access that key, and so on.

• Related stories

• Alerts

Sign up for an e-mail alert

ZDNet Australia Alerts is an e-mail alert service which provides personalised news, features and reviews to readers’ inbox on an hourly, daily and weekly basis.

Alert:

E-mail: *

Frequency: *

Hourly Daily Weekly

Add alert

Be the first to comment on this article!

Add your opinion

All fields are required

Subject:
Comments:
Full name:
E-mail address:

Your e-mail will not be displayed

Posting options:

Display all details Do not display details

Security Code:

You must read and type the 6 chars within 0..9 and A..F

 

• Just In

• Most Popular

• Most Discussed

Login

E-mail Password (forgot?)

Login Remember

Sign up and win a iPhone3GS!

Reader Services

Popular Topics

Essentials