Bulletproofing SOA

March 2006

A comprehensive strategy for ensuring a secure, reliable, compliant Service Oriented Architecture

Why SOA?

Business Effectiveness Agility, responsiveness to

market/competitive dynamics Greater process efficiencies Deploy resources based on

business needs

Cost Efficiency Reduced maintenance costs Reduce integration costs Reduced skills and effort to

support business change Reduce application redundancy

Reduced Risk Higher level of IT quality Incremental deployment Improved payback times

Promotion of reuse Lower integration costs Business agility Alignment between

business and IT

What Does Quality Mean in SOA

Assurance Trust

Roles

VisibleQualityProcess

The fundamental benefits desired from implementing a SOA demand a more comprehensive approach to manage and

demonstrate software quality

SOA is Uniquely Different

Assurance Trust

Roles

VisibleQualityProcess

Achieving quality in a SOA requires the organization to

behave much different than it has in the past. At the center is a visible quality process.

• Visible Quality ProcessNow more than ever transparency in the overall quality process is a must. SOA impacts more people, more processes and more direct revenue.

• RolesSOA has cross functional and cross department impacts. Quality must be addressed very early in the process.

• TrustSOA impacts both internal and external resources. Trust becomes a critical component for reuse.

• AssuranceSecure, reliable, compliant services keeping in mind both the producer and the consumer of the services. Questionable quality will doom the ROI.

SOA Impacts IT Roles

Project Duration

MainframeClientServer

Inte

rnet

SO

A

Level of

Inte

gra

tion

Trend 3Silos are being broken down into smaller

cross-functional teams. Those teams have more distributed team members.

Trend 2“Quality” and the quality process is

being promoted higher in the organization

Governance

Process

Design Dev Test Deploy

Trend 4The onus of quality is being distributed

in the process. QAs role is split.

Perform

QA

Dev

Arch

Trend 1Project durations are shorter with higher

levels of integration.

Analyst

QA

SOA is Uniquely Different

Assurance Trust

Roles

VisibleQualityProcess

Achieving quality is uniquely different in a SOA. Consistency is a must. A visible, reliable quality process is core to success.

• Visible Quality ProcessNow more than ever transparency in the overall quality process is a must.

• RolesThe quality process must start earlier and include more people.

• TrustIT shops must earn trust.

• AssuranceQuestionable quality will doom the ROI. Consistency is the key for adoption and interoperability.

VisibilityVisibilityVisibilityVisibility MeasurementMeasurementMeasurementMeasurement ManagementManagementManagementManagement

Software Test, Analysis & GovernanceSoftware Test, Analysis & Governance

Design Develop Test Deploy

Development Lifecycle ProcessesDevelopment Lifecycle ProcessesDevelopment Lifecycle ProcessesDevelopment Lifecycle Processes

Visibility Visibility

Measurable Checkpoints and ControlMeasurable Checkpoints and Control

Control Development PolicyControl Development Policy

Control Code Behavior and OutcomesControl Code Behavior and Outcomes

Visibility of Impact of Changing ComponentsVisibility of Impact of Changing Components

Leverage-able Test AssetsLeverage-able Test Assets

Qu

ality

&

Pro

gre

ss

A Visible Quality Process

Parasoft SOAtest Solution

Consumer

Example: Open a Credit Card Account

Business Process

Web Service Layer

Application

A machine to machine or human interface wants to

“open an account.”

The “open an account” process is initiated.

Services invoked “Get customer details,”

“Account Type” “Locate Record,” “Check Customer

Status”

These services reach into applications. Packaged or

Custom Apps.Pro

du

cer

Con

su

mer

•Consistency in the service assets.Enforce policies, interoperability•Trust, a visible quality framework

•Automated BPEL testing•Greater business process coverage•Rapid load and performance testing

•Full interoperability validation•Ensure secure services•Test individual service operations•Test use case scenarios•Create regression suites•Manage tests as a “Team”•Visibility of service asset quality

•Is the application reliable for SOA•Automated code analysis•Automated unit testing

Generic SOA Architecture

Parasoft SOAtest• SOA Quality Visiblity• SOA testing framework• SOA aware to reduce

complexity• Automated policy

enforcement• Automated business

process testing• Automated scenario

testing• Scriptless load and

performance testing

Orchestration

ESB

Security Gateway

WSM

Registry

Java / .NET App Servers

LegacyAdaptersMainframe

Automated BPEL testing. Graphical construction of scenarios.

Test multiple protocols with scenarios to automate test coverage. Emulate endpoints.

Test gateway policies by driving positive and negative traffic. Security POCs.

Test cases can leverage QoS data from WSM. Create test cases for SLA violations.

SOA Development Governance. Tests incorporate UDDI.

Automated code analysis. Automated unit testing.Regression testing.

Test via emualtion.

Challenges Deploying a SOA

• Managing risk• Promoting reuse• Properly addressing security• Organizational alignment• Managing complexity

Challenge – Managing Risk

Consolidation of application or services for mission critical processes increases the risk of failure. More users are impacted

Reuse of Services

Impact of Downtime

(Risk)

Distributed Applications

Impact of Downtime

(Risk)

Challenge – Promoting Reuse

Creating an asset that is reusable is easy, promoting reuse is a much different challenge

Aside from granularity, reuse is all about trust There is no such thing as a “used car”

ManufacturerPoint

Inspection Special

Financing Certified Warranty Details

Chrysler 125 Yes8 years / 80,000 mile Powertrain Limited Warranty, measured from original vehicle in-service date.

Ford 115 Yes 6 years / 75,000 miles from the In-Service date

GMC 110+ Yes 3 months / 3,000 miles from the Purchase date

Lexus 161 Yes 3 years from the Purchase date / 100,000 miles from the In-Service date

Mercedes-Benz 130+ Yes 12 months from Purchase date / 100,000 miles from the In-Service date

Toyota 160 Yes7 years / 100,000 miles Limited Power Train Warranty from date when first sold as new.

AuditsAssumptions GAPNeed to be able to detect vulnerabilities as early as

possible.

Challenge - Addressing Security

There is a gap in how WS security is addressed “Security is not my problem it’s coming from somewhere else” There hasn’t been a big scandal, yet! Security is usually bolted-on Audits are usually performed too late

Develop Test MonitorArchitect

Challenge – Org. Alignment

Fundamental shift in tactical responsibilities No longer application centric Business enablement New paradigm / new focus

StrategyStrategy

ProcessProcess

RolesResponsibilities

RolesResponsibilities

PeoplePeople

Challenge - Managing Complexity

Services

Co

mp

lexi

ty

Risk Eliminated

AutomatedGovernance and Quality Control

Complexity sneaks up on you External services increase complexity exponentially Accidental exposures

Tasks to Bulletproof Web Service

Java C/C++

.NET Db

Message Layer

Implementation Layer

Tasks to Bulletproof Web Service

Java C/C++

.NET Db

Message Layer Verify Service Description Verify Policies Test Web Services Infrastructure Unit test Service Layer Business Process Test Scenario Test Functional Security Test /

Penetration Test Regression Test Verify Scalability and Performance

Implementation Layer Code Analysis

• Security - Reliability• Performance -

Maintainability Automated Unit/Regression Testing Component Unit/Regression Testing