> analysis to determine just what kind of security they need
> and where which will then drive what they decide to do.
Agreed.. Developing a threat model that identifies vulnerabilities so that
you can come up with countermeasures that mitigate them is critically
important for any app, and not just for a web service. BTW, WS-I has a good
document @
http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf that
provides a great starting point identifying web service security challenges.
>> If you leave security to the whim of the developer, then security is
>> going to be a significant challenge. But security for web services is no
>So I agree re: developers but can you explain more of your thinking
>behind that statement? Where do you think this knowledge is held? Which
>people would you expect to have the necessary skills and influence to
>make this work?
The security architects in your organization. If such a person or persons do
not exist, in the organization whose primary responsibility is Security, NOT
development. They must work with the DEVs, but their focus is Security and
not development.
>set of products save for a few trivial cases. For example, these
>products don't really help much with issues such as trojan horses or
>back doors - of course that's not a concern for all establishments.
No single product will ever address all concerns, which is why it is
important to have a defense in depth mentality with the right
tools/practices/technolgies addressing each of the threats that were
identified as part of your threat model.
>As I said, real security is a cross-cutting issue that can't be
>centralized.
I guess this is where we have to agree to disagree. I think it is important
to centralize the security infrastructure precisely because it is a
cross-cutting concern and as such the only way to **consistently apply** it
to across the board is to centralize the policy and guidance around security
implemenation.
Regards,
- Anil
SPONSORED LINKS
| Computer software | Computer aided design software | Computer job |
| Soa | Service-oriented architecture |
YAHOO! GROUPS LINKS
- Visit your group "service-orientated-architecture" on the web.
- To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
- Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
