Vordel User Conference - XML security chat in sunny Dublin
The Vordel User Conference was on Thursday and Friday in sunny Dublin (yep it was sunny, and warm too). Time for a quick blog entry using Dublin airport's free Wi-Fi as I wait for a flight out to London.
At the conference, we heard customer case studies presented about Vordel customer deployments in North America and Europe. This was the first user conference in the XML security area.
The main themes I picked out of the conference were:
- The need to knit security right through the transaction (not just the XML part). A lot of the time, a Web Service is just an interface in front of an existing system, often in an ERP or mainframe system. By only securing the Web Service, but not integrating that security through the system that's been secured, you are only doing part of the job. A number of our customer case studies showed how security is knitted right through the transaction (to SAP, Software AG, WebLogic, etc)
- The need to use coherent security policies rather than just "throwning every specification beginning with WS-* or X against the wall and hoping for the best". Our tutorials described how to focus on the high-level requirements (e.g. "I want to make sure that only my partners can access this Web Service") and then map the technology to this requirement. Sometimes this can involve the usage of older technologies such as SSL or HTTP-Auth, which is the reason why Vordel supports these technologies as well as supporting WS-Security, WS-Trust (which we've had in production since summer 2004), etc.
- And from the tutorial - remember that REST style Web Services are very popular. Any solution where you assume that each Web Service invocation will have a "text/xml" or "application/XML+SOAP" content type will let REST traffic sail through. Securing REST style Web Services is a whole task in itself, one which we've built support for in VordelSecure and VordelDirector. I'll be talking about this topic at OWASP in Boston in July.
If you couldn't make the conference, then by all means email me for the presentations.
3:10:12 PM 
|
|
