A review and analysis of relevant SOA artifacts (e.g. requirements, system security plan, business use cases, threat analysis, vendor specific documentation ) to identify how the data, application, and technology architecture of the solution (e.g., ESB, gateway, web services) protects critical assets, sensitive data stores and business-critical interconnections in accordance with the organization's business and security objectives.
Key activities include:
- Leveraging Vulnerability and/or Risk Assessment output (where available) to understand potential attack vectors to focus the audit activities on the most critical elements;
- Consult with members of the application development team and management to understand:
- the business goals and control objectives (security requirements) as they relate to data confidentiality, integrity, availability, and provability;
- SOA communication scope (e.g., intranet, extranet, internet);
- ingress, egress, and intra-application data flows (and corresponding security treatment);
- data classification/risk level relating to the services exposed and the data they process;
- core technologies integral to the SOA implementation (e.g., ESB, XML Gateway, Federated Identity Management) that the implementation is reliant upon to achieve its security objectives; and
- core operational processes (e.g., user provisioning, system audit) integral to the implementation and/or those that the application is reliant upon to achieve its security objectives.
- Analysis of the solution against prevailing good practice (e.g., OASIS, NIST), the organization's business and security objectives and relevant laws/regulations; and,
- Formal reporting on the process, relevant findings, and remediation advice. Where possible the report will also include: root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.
The predominant benefits realized by a SOA Architecture Review are:
- Provides a high-level of design assurance by looking at the SOA implementation in a comprehensive and holistic manner;
- Provides assurance that consumers of SOA services are properly authenticated, SOAP messages remain confidential in transit, the SOA architecture is sufficiently resilient, and SOAP messages have integrity and are provable;
- Findings can be used to identify other necessary assurance activities and to optimally focus downstream activities (e.g., Network Security Assessments, Application Architecture reviews, Authentication Services Reviews) on relevant issues/targets for large scale enterprise level applications;
- Allows an entity to address security deficiencies in the design phase at the lowest possible cost.
SOA Architecture Reviews are best used:
- During the early design phases of the development life cycle to ensure that security is designed into the solution. This approach reduces the likelihood that security will need to be retrofitted to the application. Building security into an already developed solution can result in significant architectural changes, code modification, and a generally lower level of assurance that the solution meets the organization's security objectives.
- Post-design and pre-deployment to validate that the deployment is consistent with the design and to focus the certification and accreditation activities on those areas that will provide the greatest level of assurance.