Web Services Wrapper: Knowing Which Apps to Wrap ... and When

A SOA doesn't have to be complicated; however, it's important to have a clear SOA strategy and to understand the security risks and ways to minimize them. Or you could be looking at a recipe for disaster. This section discusses the tactic of employing the Web services wrapper to extend the life of your existing applications.

The Idea: "Get Instant SOA: Grab Your Existing Apps and Wrap 'Em Up"

Granger Machinery, a manufacturer of heavy and industrial machinery, thought that it had a great idea for starting a SOA. The company planned to use Web services in the form of a "wrapper" to make its existing inventory and customer database available to other lines of business. The SOA was initiated by allowing a client to send complete SQL statements in the request to the database. However, this protocol left the relational database susceptible to SQL injection attacks, whereby attackers bypass the SQL statements defined on a Web server in order to inject their own statements.

The IT team thought that it could reduce this risk by using an anti-injection attack feature in its existing security product. This feature would detect and sanitize SQL statements that were written to perform destructive operations, such as "Drop" or "Delete."

Why It Wasn't So Smart

By itself, this Web service approach of putting a wrapper on an existing application or database is not dangerous. However, if you think about this case, it is actually a tightly coupled approach and requires that the requestor know the implementation details to make the SQL call. This approach suffers from two major problems:

1. It lacks business context. The IT team needs to associate a business context—or rules—around the Web services, instead of allowing "dumb" SQL requests. Such rules define who has a right to put in a request to the SQL database and in what situation they can access data. Individuals would then need to be authenticated before accessing the database. This would prevent the database from blindly giving out information, as well as prevent destructive requests from directly accessing the table.
2. The SQL injection problems are caused by two different issues: bad data that gets injected into SQL statements, and bad SQL statements themselves. The injection protection capabilities described earlier cannot solve these problems.

The Web services wrapper approach can be dangerous if not undertaken with care. In this case, SQL injection problems resulted from two sources.

A Better Approach

By applying SOA and Web service standards, you can quickly achieve reuse and integration goals. However, this approach needs to be part of an overall SOA strategy, or you risk experiencing problems at the application level.

In the case of Granger Machinery, the company needed to address the following in its SOA strategy:

• Who should be authorized to access the data?
• How should they access it?
• Can and should we prioritize the requests and transactions?

Bottom line? Wrapping a service is an excellent way to get reuse out of applications that are already delivering value to your business. It is therefore a good way to build a SOA, so long as you have solid IT business alignment. (Governance should ensure that such issues are accounted for and built into the strategy. Policies then will perform the control, with management and run-time governance ensuring these polices are enforced and measured.) Randomly wrapping services, however, can lead to security and performance problems—inside and outside the organization.

In the end, remember that building a SOA is an incremental process. You can start by wrapping services that are working well today and rebuild other SOA services over time. In addition, you can prioritize what to rebuild and what to build from scratch based on the new business opportunities that come your way. Bottom line, the Web services wrapper is a great tactical approach for moving toward SOA, but it is not a panacea.

For More Information

Learn more about extending the life of your existing apps with Web services wrappers: download the free white paper, SOA Introduction: IT and Business Perspectives