News

Oracle Integrates Fusion Components for Web Services Security

• By John K. Waters
• July 13, 2005

Much discussion about IT security centers around the idea that developers should build secure applications. It makes sense; more than ever, attackers are targeting vulnerabilities in the application layer. But in an increasingly service-oriented world, in which monolithic applications are being broken down into smaller pieces for reuse, is it practical to expect developers to code security into individual Web services?

Prakash Ramamurthy, Oracle's VP of server technologies, says it's not.

"Of course you want developers to write secure code," Ramamurthy says. "You want them to understand things like buffer overflows and SQL injections. But as more and more organizations move to a service-oriented architecture and face the challenge of writing secure Web services, it makes more sense to separate the business logic from how security is being implemented when [the applications] are deployed.”

Oracle has tightly integrated two components of its Fusion Middleware product family—the BPEL Process Manager and the Web Services Manager—specifically to make it simple to create, integrate, orchestrate and access secure Web services.

Based on the Business Process Execution Language standard, the BPEL Process Manager is "the orchestration piece," Ramamurthy says. It's designed to allow organizations to implement adaptive transactions and collaborative business processes based on so-called composite applications. “What our customers were asking us for was a way for security to be separated, and actually articulated and implemented at runtime,” Ramamurthy says. “One of the things the Oracle Web Services Manager allows you to do is to create security and audit policies outside the Web service that is delivering the business logic.”

The security piece, Oracle's Web Services Manager, is designed to secure and manage the operations of Web services and the interactions among them. Key features include: The Policy Manager, a graphical tool for building new security and operations policies, storing policies, and managing distribution and updates to runtime agents and gateways; Policy Gateways, which can intercept inbound requests to applications to enforce policy steps, adding application security and other operation rules to applications that are already deployed; Policy Agents, which plug directly into an application or service; and a Monitoring Dashboard, which collects data from gateways and agents as they execute policies, and displays results in a graphical format.

In their newly tightly integrated form, the two components provide a secure business process platform that includes all the elements required to secure business processes built on any Java-based application server, Ramamurthy says.

“There is a lot of synergy between the orchestration piece and the security piece,” says Ramamurthy. “The tight integration between the two products allows customers to do Web services orchestration and put security policies in place that can change over time, mimicking what the business decisions are, especially audit policies for compliance, which seems to be a moving target for many companies. These things can be implemented as part of the Web Services Manager and not as part of the Web service itself.”

"Together, they allow the app developers to focus on the application logic and at deployment time leave it to the deployers to figure out how they want to lock it down," he adds.