Peter Schoof over at eBizQ's Twenty-Four Seven Security makes a couple of very interesting assertions regarding the lack of growth of Service Oriented Architecture (SOA.)
I haven't seen much discussion in the blogosphere about the security challenges that arise from loosely coupled service orientated systems, but that will soon change. As more and more companies move towards open applications ala SOA, data is also opened up to a whole new series of exploits and vulnerabilities.
I will agree that SOA provides some very interesting security challenges that, much like many emerging technologies, are attempted at being solved by having security bolted on instead of baked in. I'd also agree that SOA will manifest new attack surfaces and potential vulnerabilities; it already has.
Interestingly, the market for SOA security solutions came out of the gate strong, looked hot in the midst of consolidation and M&A madness, but then stumbled as the adoption of SOA (or specifically SOA security) did not support this nascent market kindly. It has, in fact, become a feature, not a market.
As to there not being much discussion in the blogosphere surrounding SOA, perhaps Peter missed Gunnar Peterson, Lori MacVittie, Arnon Rotem-Gal-Oz, or even Me. Obviously Joe McKendrick has been blogging about SOA and security for some time also since he's the person moderating the webinar that Peter is referring to in his full post.
At this point, security is the primary limiting factor inhibiting SOA's growth. In order to counteract that, "Enterprises need to apply non-invasive, externalized security policy enforcement mechanisms consistently throughout their SOA ecosystems, while also centrally managing security policy."
<Cough!> Um, no. Firstly, please shoot the marketing drone that wrote that.
Secondly, and most important, the primary limiting factor inhibiting SOA's growth is gross sum of: the definition of SOA, the state (mess) of Enterprise Architecture, operationalizing SOA and message buses, the business case, business value, complexity, and the cost center. Security's in there somewhere, but it's far from being THE primary limiting factor, Peter.
I'm all for trying to raise the flag regarding SOA and the need for security, but please don't play pin the tail on the donkey with security as the Ass...you're only going to look like one.