bulletproofing soa march 2006 a comprehensive strategy for ensuring a secure, reliable, compliant...
Post on 18-Dec-2015
214 views
TRANSCRIPT
Bulletproofing SOA
March 2006
A comprehensive strategy for ensuring a secure, reliable, compliant Service Oriented Architecture
Why SOA?
Business Effectiveness Agility, responsiveness to
market/competitive dynamics Greater process efficiencies Deploy resources based on
business needs
Cost Efficiency Reduced maintenance costs Reduce integration costs Reduced skills and effort to
support business change Reduce application redundancy
Reduced Risk Higher level of IT quality Incremental deployment Improved payback times
Promotion of reuse Lower integration costs Business agility Alignment between
business and IT
What Does Quality Mean in SOA
Assurance Trust
Roles
VisibleQualityProcess
The fundamental benefits desired from implementing a SOA demand a more comprehensive approach to manage and
demonstrate software quality
SOA is Uniquely Different
Assurance Trust
Roles
VisibleQualityProcess
Achieving quality in a SOA requires the organization to
behave much different than it has in the past. At the center is a visible quality process.
• Visible Quality ProcessNow more than ever transparency in the overall quality process is a must. SOA impacts more people, more processes and more direct revenue.
• RolesSOA has cross functional and cross department impacts. Quality must be addressed very early in the process.
• TrustSOA impacts both internal and external resources. Trust becomes a critical component for reuse.
• AssuranceSecure, reliable, compliant services keeping in mind both the producer and the consumer of the services. Questionable quality will doom the ROI.
SOA Impacts IT Roles
Project Duration
MainframeClientServer
Inte
rnet
SO
A
Level of
Inte
gra
tion
Trend 3Silos are being broken down into smaller
cross-functional teams. Those teams have more distributed team members.
Trend 2“Quality” and the quality process is
being promoted higher in the organization
Governance
Process
Design Dev Test Deploy
Trend 4The onus of quality is being distributed
in the process. QAs role is split.
Perform
QA
Dev
Arch
Trend 1Project durations are shorter with higher
levels of integration.
Analyst
QA
SOA is Uniquely Different
Assurance Trust
Roles
VisibleQualityProcess
Achieving quality is uniquely different in a SOA. Consistency is a must. A visible, reliable quality process is core to success.
• Visible Quality ProcessNow more than ever transparency in the overall quality process is a must.
• RolesThe quality process must start earlier and include more people.
• TrustIT shops must earn trust.
• AssuranceQuestionable quality will doom the ROI. Consistency is the key for adoption and interoperability.
VisibilityVisibilityVisibilityVisibility MeasurementMeasurementMeasurementMeasurement ManagementManagementManagementManagement
Software Test, Analysis & GovernanceSoftware Test, Analysis & Governance
Design Develop Test Deploy
Development Lifecycle ProcessesDevelopment Lifecycle ProcessesDevelopment Lifecycle ProcessesDevelopment Lifecycle Processes
Visibility Visibility
Measurable Checkpoints and ControlMeasurable Checkpoints and Control
Control Development PolicyControl Development Policy
Control Code Behavior and OutcomesControl Code Behavior and Outcomes
Visibility of Impact of Changing ComponentsVisibility of Impact of Changing Components
Leverage-able Test AssetsLeverage-able Test Assets
Qu
ality
&
Pro
gre
ss
A Visible Quality Process
Parasoft SOAtest Solution
Consumer
Example: Open a Credit Card Account
Business Process
Web Service Layer
Application
A machine to machine or human interface wants to
“open an account.”
The “open an account” process is initiated.
Services invoked “Get customer details,”
“Account Type” “Locate Record,” “Check Customer
Status”
These services reach into applications. Packaged or
Custom Apps.Pro
du
cer
Con
su
mer
•Consistency in the service assets.Enforce policies, interoperability•Trust, a visible quality framework
•Automated BPEL testing•Greater business process coverage•Rapid load and performance testing
•Full interoperability validation•Ensure secure services•Test individual service operations•Test use case scenarios•Create regression suites•Manage tests as a “Team”•Visibility of service asset quality
•Is the application reliable for SOA•Automated code analysis•Automated unit testing
Generic SOA Architecture
Parasoft SOAtest• SOA Quality Visiblity• SOA testing framework• SOA aware to reduce
complexity• Automated policy
enforcement• Automated business
process testing• Automated scenario
testing• Scriptless load and
performance testing
Orchestration
ESB
Security Gateway
WSM
Registry
Java / .NET App Servers
LegacyAdaptersMainframe
Automated BPEL testing. Graphical construction of scenarios.
Test multiple protocols with scenarios to automate test coverage. Emulate endpoints.
Test gateway policies by driving positive and negative traffic. Security POCs.
Test cases can leverage QoS data from WSM. Create test cases for SLA violations.
SOA Development Governance. Tests incorporate UDDI.
Automated code analysis. Automated unit testing.Regression testing.
Test via emualtion.
Challenges Deploying a SOA
• Managing risk• Promoting reuse• Properly addressing security• Organizational alignment• Managing complexity
Challenge – Managing Risk
Consolidation of application or services for mission critical processes increases the risk of failure. More users are impacted
Reuse of Services
Impact of Downtime
(Risk)
Distributed Applications
Impact of Downtime
(Risk)
Challenge – Promoting Reuse
Creating an asset that is reusable is easy, promoting reuse is a much different challenge
Aside from granularity, reuse is all about trust There is no such thing as a “used car”
ManufacturerPoint
Inspection Special
Financing Certified Warranty Details
Chrysler 125 Yes8 years / 80,000 mile Powertrain Limited Warranty, measured from original vehicle in-service date.
Ford 115 Yes 6 years / 75,000 miles from the In-Service date
GMC 110+ Yes 3 months / 3,000 miles from the Purchase date
Lexus 161 Yes 3 years from the Purchase date / 100,000 miles from the In-Service date
Mercedes-Benz 130+ Yes 12 months from Purchase date / 100,000 miles from the In-Service date
Toyota 160 Yes7 years / 100,000 miles Limited Power Train Warranty from date when first sold as new.
AuditsAssumptions GAPNeed to be able to detect vulnerabilities as early as
possible.
Challenge - Addressing Security
There is a gap in how WS security is addressed “Security is not my problem it’s coming from somewhere else” There hasn’t been a big scandal, yet! Security is usually bolted-on Audits are usually performed too late
Develop Test MonitorArchitect
Challenge – Org. Alignment
Fundamental shift in tactical responsibilities No longer application centric Business enablement New paradigm / new focus
StrategyStrategy
ProcessProcess
RolesResponsibilities
RolesResponsibilities
PeoplePeople
Challenge - Managing Complexity
Services
Co
mp
lexi
ty
Risk Eliminated
AutomatedGovernance and Quality Control
Complexity sneaks up on you External services increase complexity exponentially Accidental exposures
Tasks to Bulletproof Web Service
Java C/C++
.NET Db
Message Layer
Implementation Layer
Tasks to Bulletproof Web Service
Java C/C++
.NET Db
Message Layer Verify Service Description Verify Policies Test Web Services Infrastructure Unit test Service Layer Business Process Test Scenario Test Functional Security Test /
Penetration Test Regression Test Verify Scalability and Performance
Implementation Layer Code Analysis
• Security - Reliability• Performance -
Maintainability Automated Unit/Regression Testing Component Unit/Regression Testing