With the establishment of security organizations in enterprises over the past 5 to 10 years, I find that I have been having less and less contact with application developers in these same organizations.  Largely this is a good sign (not that I don’t like developers), in that it shows that the responsibility for enterprise IT security more squarely falls with the security organizations – where it should frankly - and less so on the developers of individual specific applications. 

Recently, however, I was invited to address a group made up of primarily application developers at the Edge User Group Conference in Amsterdam, Netherlands.  My topic was Security for Services, and I explained the value of securing services (SOA/Web services) using the well worn security architectural approach of policy decision points/policy enforcement points/policy administration points (PDP/PEP/PAP).  This is the architectural approach that forms the basis of CA’s Secure Web Business Enablement solutions, in particular CA SiteMinder and CA SOA Security Manager.

 I really didn’t know how easily or well this concept would be accepted by a group of application developers, as it is really about providing security as an infrastructural service, not as an embedded part of any single application.  What I experienced was both encouraging and discouraging at the same time.  Let me explain.  The developers in my session seemed to understand and accept this approach, so that left me encouraged.  They understood the value of consuming security for their Web services as a service.  In fact a number of them said to me after the session that they would use such a service tomorrow if it existed in their organizations.  “If it existed in their organization.” Why doesn’t such a security service exist to be tapped into by the developers?

When I do similar sessions with a primarily security audience the take-up seems a lot more muted specifically when applied to SOA/Web services.  Only the most mature security organizations and the most sophisticated security personnel seem to buy into this approach.  While this issue has slowly gotten better from my point of view over the past few years, it seems to me that the average security architect is falling behind the average application developer.  Service orientation and Web services are becoming widely used in enterprises by application developers (this assertion is backed by recent survey results from Randy Haffner from Forrester), but service oriented security is still off into the future for far too many security organizations. 

What this means is that application developers will be forced to do whatever it takes to provide security to get their projects done, which will inevitably lead to the creation of more insecure and costly security silos – again.  So for security professionals that are reading this blog entry, please connect with your application developers and understand their strategies and roadmaps for using service orientation and Web services – and architect accordingly.