There are requirements placed on the deployment and provisioning of web service code into live networks. Security and Information Assurance (IA) concerns prevent the hosting of foreign code on servers of closed networks. There is tooling required to support the analytics of web service packages. Architecture, source code, and binary packages all need to be reviewed while creating a certification document for hosting approval.
Concerns by IA Staff for the hosting of web services
- Steady state input/output
- Network openings and vulnerabilities
- Potential for secret back door
- Failure modes
The approval to host a web service on a network boils down to two major decisions.
- I analyze the web service design and implementation for vulnerabilities
- I trust the developer, therefore I trust the service candidates
This approach can be used to push down certification to development enclaves. Service development shops can have in-house IA teams to provide certification statements along with service deployment packages. A network hosting facility will receive the package coming from a trusted development shop and deploy the service to the network with no questions asked.
For non-trusted or smaller development shops the service code would need to be submitted as part of the deployment package. The package would have to be analyzed and certified before live connection to the network would be allowed.
In either case tools to support certification of services are required.
1 comment:
It sounds a bit like our country's current position on nuclear disarmament: trust, yet verify :) I am in violent agreement that there are multiple steps associated with the path toward trusted/certified services.
I would address your previously stated two major decisions in reverse order:
trust the developer
verify the service
There are several organizations that are starting to offer SOA/Web Service certifications for developers (for example, Sun's certified developer for java web services). While this particular designation is language dependent (and perhaps it really should be) there are opportunities to create a baseline certification for WS developers then have subject matter tests (a bit like the SAT subject tests) for particular languages and perhaps hosting environments.
For the second point, to achieve any velocity with respect to the certification process, the web service analysis needs to be automated to the extent practicable including such items as source code analysis, WSI compliance, security validation and other aspects that can be validated using automated tools. Ideally these tools would also generate the required certification artifacts that will further accelerate the granting of the ability to operate on an identified network.
Post a Comment