One of the hardest challenges for information security is choosing where to focus. The game where you say "if you have $100 to spend, where would you spend them?" is a good game because it forces choices and prioritization. Just like a lot of Fortune 500, information security often backs into decisions, i.e. choosing not to choose is a choice, and then a lot of the budget gets eaten up by yesterday's legacy technologies. Instead, its better to look forward and choose processes, technology and architecture based on what threats, vulnerabilities and assets your program is dealing with today.
- Quantity - While there are hundreds or thousands of applications in a typical company, there are probably fewer than one hundred services (at least for now). By focusing on Web services, the security team has a smaller population to deal with.
- Assets - while there are relatively less services, the whole reason you write a service is for reuse and interoperability. Typically, you want to reuse data and functionality on a mainframe, SAP, Siebel or somesuch system. But if the company is going to pay developers to write service front ends, wrappers or aggregators, then there is a high likelihood that its a valuable asset worth protecting. So the security team is now dealing with a smaller quantity of higher value assets.
- Standards - software security is pretty hard. It helps to have reusable skillsets not just threat modeling but technical skillsets, since Web services rely on standards this gives the security team a place leverage expertise across multiple projects
- Scale - If your software security team is less than 5% of the development staff, it needs to scale its impact, and web services are built for scale across the enterprise and beyond.
- Trend - we continue to see more and more web services, the cloud is only the latest (and not last) iteration. If we want to avoid the hamster wheel of pain - protecting today's innovations with yesterday's security - then the time to act is now.