Bulletproofing SOA March 2006 A comprehensive strategy for ensuring a secure, reliable, compliant Service Oriented Architecture
Why SOA? Business Effectiveness Agility, responsiveness to market/competitive dynamics Greater process efficiencies Deploy resources based on business needs Cost Efficiency Reduced maintenance costs Reduce integration costs Reduced skills and effort to support business change Reduce application redundancy Reduced Risk Higher level of IT quality Incremental deployment Improved payback times Promotion of reuse Lower integration costs Business agility Alignment between business and IT
What Does Quality Mean in SOA The fundamental benefits desired from implementing a SOA demand a more comprehensive approach to manage and demonstrate software quality
SOA is Uniquely Different Achieving quality in a SOA requires the organization to behave much different than it has in the past. At the center is a visible quality process. Visible Quality Process Now more than ever transparency in the overall quality process is a must. SOA impacts more people, more processes and more direct revenue. Roles SOA has cross functional and cross department impacts. Quality must be addressed very early in the process. Trust SOA impacts both internal and external resources. Trust becomes a critical component for reuse. Assurance Secure, reliable, compliant services keeping in mind both the producer and the consumer of the services. Questionable quality will doom the ROI.
SOA Impacts IT Roles Project Duration Mainframe Client Server Internet SOA Level of Integration Trend 3 Silos are being broken down into smaller cross-functional teams. Those teams have more distributed team members. Trend 2 “Quality” and the quality process is being promoted higher in the organization Governance Process DesignDevTestDeploy Trend 4 The onus of quality is being distributed in the process. QAs role is split. Perform QA Dev Arch Trend 1 Project durations are shorter with higher levels of integration. Analyst QA
SOA is Uniquely Different Achieving quality is uniquely different in a SOA. Consistency is a must. A visible, reliable quality process is core to success. Visible Quality Process Now more than ever transparency in the overall quality process is a must. Roles The quality process must start earlier and include more people. Trust IT shops must earn trust. Assurance Questionable quality will doom the ROI. Consistency is the key for adoption and interoperability.
VisibilityVisibilityMeasurementMeasurementManagementManagement Software Test, Analysis & Governance DesignDevelopTestDeploy Development Lifecycle Processes Visibility Measurable Checkpoints and Control Control Development Policy Control Code Behavior and Outcomes Visibility of Impact of Changing Components Leverage-able Test Assets Quality & Progress A Visible Quality Process
Parasoft SOAtest Solution Consumer Example: Open a Credit Card Account Business Process Web Service Layer Application A machine to machine or human interface wants to “open an account.” The “open an account” process is initiated. Services invoked “Get customer details,” “Account Type” “Locate Record,” “Check Customer Status” These services reach into applications. Packaged or Custom Apps. Producer Consumer Consistency in the service assets. Enforce policies, interoperability Trust, a visible quality framework Automated BPEL testing Greater business process coverage Rapid load and performance testing Full interoperability validation Ensure secure services Test individual service operations Test use case scenarios Create regression suites Manage tests as a “Team” Visibility of service asset quality Is the application reliable for SOA Automated code analysis Automated unit testing
Generic SOA Architecture Parasoft SOAtest SOA Quality Visiblity SOA testing framework SOA aware to reduce complexity Automated policy enforcement Automated business process testing Automated scenario testing Scriptless load and performance testing Orchestration ESB Security Gateway WSM Registry Java /.NET App Servers Legacy Adapters Mainframe Automated BPEL testing. Graphical construction of scenarios. Test multiple protocols with scenarios to automate test coverage. Emulate endpoints. Test gateway policies by driving positive and negative traffic. Security POCs. Test cases can leverage QoS data from WSM. Create test cases for SLA violations. SOA Development Governance. Tests incorporate UDDI. Automated code analysis. Automated unit testing. Regression testing. Test via emualtion.
Challenges Deploying a SOA Managing risk Promoting reuse Properly addressing security Organizational alignment Managing complexity
Challenge – Managing Risk Consolidation of application or services for mission critical processes increases the risk of failure. More users are impacted Reuse of Services Impact of Downtime (Risk) Distributed Applications Impact of Downtime (Risk)
Challenge – Promoting Reuse Creating an asset that is reusable is easy, promoting reuse is a much different challenge Aside from granularity, reuse is all about trust There is no such thing as a “used car” Manufacturer Point Inspection Special Financing Certified Warranty Details Chrysler 125Yes 8 years / 80,000 mile Powertrain Limited Warranty, measured from original vehicle in-service date. Ford 115Yes6 years / 75,000 miles from the In-Service date GMC 110+Yes3 months / 3,000 miles from the Purchase date Lexus 161Yes 3 years from the Purchase date / 100,000 miles from the In-Service date Mercedes-Benz 130+Yes 12 months from Purchase date / 100,000 miles from the In-Service date Toyota 160Yes 7 years / 100,000 miles Limited Power Train Warranty from date when first sold as new.
AuditsAssumptions GAP Need to be able to detect vulnerabilities as early as possible. Challenge - Addressing Security There is a gap in how WS security is addressed “Security is not my problem it’s coming from somewhere else” There hasn’t been a big scandal, yet! Security is usually bolted-on Audits are usually performed too late Develop TestMonitorArchitect
Challenge – Org. Alignment Fundamental shift in tactical responsibilities No longer application centric Business enablement New paradigm / new focus
Challenge - Managing Complexity Services Complexity Risk Eliminated Automated Governance and Quality Control Complexity sneaks up on you External services increase complexity exponentially Accidental exposures
Tasks to Bulletproof Web Service JavaC/C++.NETDb Message Layer Implementation Layer
Tasks to Bulletproof Web Service JavaC/C++.NETDb Message Layer Verify Service Description Verify Policies Test Web Services Infrastructure Unit test Service Layer Business Process Test Scenario Test Functional Security Test / Penetration Test Regression Test Verify Scalability and Performance Implementation Layer Code Analysis Security- Reliability Performance- Maintainability Automated Unit/Regression Testing Component Unit/Regression Testing