{"id":2406,"date":"2007-04-10T00:00:00","date_gmt":"2007-04-10T00:00:00","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2007\/04\/10\/how-soa-increases-your-application-security-risk\/"},"modified":"2021-12-30T11:41:17","modified_gmt":"2021-12-30T11:41:17","slug":"how-soa-increases-your-application-security-risk","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2007\/04\/10\/how-soa-increases-your-application-security-risk\/","title":{"rendered":"How SOA increases your application security risk"},"content":{"rendered":"<p>Service-oriented architecture changes the security equation by introducing a greater reliance on third parties for application development and operation.  But according to Ray Wagner, managing vice president of information security and privacy at Gartner, this is a matter of degree rather than an introduction of a totally new security exposure.  For instance, an SOA application may depend on a web-based third-party service to provide vital functionality, with obvious security implications.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Already malware commonly masquerades as useful code and sometimes does provide the function it promises while doing other less desirable things in secret.  <\/p>\n<p>That&#8217;s one of the three main exposures Wagner sees with SOA, and organisations are already experiencing problems when employees access the wrong sites from their work desktops and accidentally import malware into the enterprise.<\/p>\n<p>Combating malware &#8212; whether it is associated with SOA or someone downloading &#8220;free&#8221; music from a file-sharing site &#8212; requires a strategy which combines technology with education.  The security technology needs to be able to stop malware before it can infect the network.  The second major exposure is more technical and harder to intercept.  Again, every organisation accepting XML-encoded files, which is the vast majority of organisations today, is exposed already.  But SOA promises to increase the number of XML transfers &#8212; and, therefore, the exposure &#8212; by orders of magnitude, while the huge volume of these transmissions in the SOA architecture also complicates the problem of intercepting the occasional piece of malware in that flow, even as it attracts increasing attention from criminals.<\/p>\n<p>Education is much less effective in dealing with this exposure, because it is more likely to be injected into an otherwise legitimate packet flow entering the enterprise and may further disguise itself by entering in several separate packets mixed into legitimate traffic.<\/p>\n<p>In a simple transaction the user authenticates at the beginning of the session and that authentication carries through the session.  However, in an SOA model the user may initiate a transaction and disconnect from the server while the transaction flows through a group of back-end services, so the user has no direct connection to the final transaction.<\/p>\n<p>http:\/\/computerworld.co.nz\/news.nsf\/devt\/808389829A348680CC2572B40001DCF8<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-2406","post","type-post","status-publish","format-standard","hentry","category-warnings"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2406","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=2406"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2406\/revisions"}],"predecessor-version":[{"id":4893,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2406\/revisions\/4893"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=2406"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=2406"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=2406"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}