Application Security Testing: An Integral Part of DevOps
'It's probably the most important .NET building block service,' said Microsoft Chairman Bill Gates. 'This is a revolution where the user's creativity and the power of all their devices can be used.' HailStorm will allow client-side applications and Web services to exchange user information much faster and easier.
What Is .NET My Services?
The .NET My Services platform is a collection of XML Web services that are invoked over the Internet by means of industry-standard protocols including SOAP, XML, and Universal Description, Discovery, and Integration (UDDI). .NET My Services authenticates users, provides the ability to send alerts, and stores personal information, including contacts, e-mail, calendar, profile, lists, electronic wallet, physical location, document stores, application settings, favorite Web sites, devices owned, and preferences for receiving alerts.
Salient features of .NET MY SERVICES
Privacy is a key design requirement in the .NET My Services architecture, and the .NET My Services data model is overlaid with a specific security and access control model that allows end users to control how and with whom their personal information is shared. This intelligent software allows users to:
- Determine who or which services have access rights to their data.
- Share data at will with any party. .NET My Services will employ a strict opt-in platform for user's data.
- Revoke sharing/access privileges at will, providing a unique level of control not commonly available on the Web.
- Arrange for sharing that expires at a given time: system-managed, time-based data access revocation.
.NET My Services can be accessed from any device, service, or application with an Internet connection, the ability to authenticate a user, and the ability to send and receive SOAP messages. Microsoft has already demonstrated .NET My Services being accessed from Microsoft Windows., Macintosh, Palm PC, Pocket PC, and a variety of UNIX-based products.
For users, HailStorm will be accessed through their applications, devices and services (also known as "HailStorm end-points"). Naturally, the .NET infrastructure provided by Visual Studio.NET, the .NET Framework, and the .NET Enterprise Servers will fully incorporate support for HailStorm to make it as simple as possible for developers to use HailStorm services in their applications.
Microsoft has also defined a discovery mechanism (an XML schema and a search algorithm), called Discovery of Web Services (DISCO), that you can use to locate Web services.You use DISCO (short for Discovery) to locate a Web service at development time, then your development tool creates a proxy that allows you to use the Web service without having to use the discovery mechanism again. The proxy contains a hard-coded URL for the Web service, but you can override this location in your client by setting the "Url" property on your proxy object.
The actual descriptions of .NET My Services are conveyed through WSDL (Web Service Description Language) documents. These documents convey all of the information a client needs to interact with the service, including all of the different objects, types, and methods that a particular Web Service exposes. The more robust the Web Service, the more complex and unwieldy is the WSDL document describing the service.
The Microsoft SDP provides structure, including the following, for the development or extended 'HailStorm' services: (1) Call for proposals for new 'HailStorm' extended services; (2) Creation of SDP working groups; (3) Definition and testing of extended 'HailStorm' services; (4) Certification of extended 'HailStorm' services; (5) Deployment of new services. The Microsoft Shared Development Process (SDP) provides a mechanism for fast, focused and profitable collaboration on key technology initiatives between Microsoft and industry partners.
The key to shifting from a machine-centric application model to a distributed computing model is to shift the central unit away from the computer and towards the user. In a machine-centric system, the software license was the core attribute -- a software license meant a certain piece of software could be legally run on a certain machine. Without such a license, thaat software could not be installed or run, or could only be installed and run illegally.
Independant & decentralized
The HailStorm platform uses an open access model, which means it can be used with any device, application or services, regardless of any operating system, object model, programming language or network provider. All HailStorm services are XML Web SOAP; no Microsoft runtime or tool is required to call them. This decentralization of the client is designed to allow Hailstorm applications to spread as quickly as possible.
While decentralizing client-code, Microsoft centralizes the three core aspects of the service:
- Identity (using Passport)
- Security (using Kerberos)
- Definitions and Descriptions (using HailStorm's globally standardized schema)
First, you cannot use a non-Passport identity within HailStorm, and at least for now, that means that using HailStorm requires a Microsoft-hosted identity.
Second, developers might not be able to write HailStorm services or clients without using the Microsoft-extended version of Kerberos.
Third, you cannot use a non-Microsoft copyrighted schema to broker transactions within HailStorm, nor can you alter or build on existing schema without Microsoft's permission.
Simplified Access (Any Time and On Any Device)
User's life is made easier because no longer must a user log on to one service to check e-mail, use another application to check a work calendar and yet another to check personal calendar entries, start a browser to check favorite Web sites, enter passwords, addresses, and other personal information in the fifty different consumer Web sites they visit.
Because of the data-centric nature of XML Web services, .NET My Services will enable end users to be able to access their key information and receive alerts about important events anywhere, on any device, and at any time.
Authentication of a HailStorm user is provided via Kerberos, a secure method developed at MIT for authenticating a request for a service in a computer network. It creates potential incompatibilities between clients running non-Microsoft versions of Kerberos and servers running Microsoft's versions. By making the system transparent to developers but not freely extensible, Microsoft hopes to gain the growth that comes with openness, while avoiding the erosion of control that also comes with openness.
Network security enhancements:
- Kerberos Security Protocol
- Efficient authentication to servers.
- Mutual authentication
- Secure Sockets Layer (SSL) Support for Web Server
- Protected Store
- Smart Card Cryptographic Service Provider (CSP)
.NET My Services Endpoints
Microsoft is actively working to create numerous third-party endpoints for .NET My Services. This means that Microsoft applications, including everything from Microsoft Office to the Microsoft games, will support .NET My Services. Services including MSN and Microsoft bCentral small business portal will be .NET My Services endpoints, and a variety of devices powered by Microsoft software will be potential .NET My Services endpoints, including Microsoft Xbox video game console, Pocket PC, and Microsoft's smart phone software platform, currently codename "Stinger." A number of Microsoft operating systems, including Windows XP and Windows CE, will also be .NET My Services endpoints themselves.
How .NET My Services Work
Considering the developer's perspective, .NET My Services is a set of XML Web services, accessed by sending and receiving SOAP messages sent though the HTTP or DIME protocols, and using the .NET Passport system for authentication. But how do .NET Services work? .NET My Services consists of three things:
- Authentication, which will be provided by .NET Passport when .NET My Services goes live
- SOAP, the communication protocol
- XML, following the rules and schemas set out in the XMI Reference, which provides the data formatting and organization
In the end I would like to say that this "Hailstorm" can really bring a thunder storm in the world of web services.