CERT-SEI

Service-Oriented Architecture Implementation

The SEI has supported service-oriented architecture (SOA) implementation through our approach for web service verification.

Our approach to SOA web service verification addressed the key concerns of

  • information assurance—The need for information assurance poses the question of how to protect information and services by ensuring confidentiality, integrity, authentication, availability, and non-repudiation. This level of protection is needed while the information is in storage, processing, or transit and whether it is threatened by malice or accident.
  • interoperability—Web service interoperability aims to provide seamless and automatic connections from one software application to another.
  • networthiness—The networthiness of a web service in an SOA context depends on determining network impact of the web service, developing port and protocol white list policies for web service use, conducting network security scans to ensure that web services are not compromising networks, and other factors.

This approach aims to certify web services in order to assure they are not malicious to the SOA infrastructure and to accredit them in a vastly shorter period than is commonly done. It is based on industry standards, best practices, and our experience from working across many organizations, and it makes use of software tools for automation (as much as possible). This approach has been tested and implemented by the Army SOA Foundation and is being actively considered as a best practice by other DoD organizations. For more information, download our report with 65 recommendations on testing and verification in SOA environments.