Agile Development vs Security

Similar Messages

• Agile Development in an SAP Landscape

  My team is looking to shift from a 'regular', waterfall-type development methodology which delivers 2 large functional releases per year to a more flexible, nimble project based approach based on Agile Development methodologies.
  The goal is to be able to treat each project independently from a resource and scheduling perspective - so multiple projects could be underway at any one time but each one potentially running on a different time line.  Of course, life-cycle support for the production environment would be on-going at the same time.
  The problem we face is defining an SAP system landscape that supports this approach and that allows for the management of the inevitable conflicts that will arise when different projects require changes to the same development object.
  I'm interested to hear feedback from anyone who has implemented an Agile Development approach within an SAP environment ( successfully or not ! ) as well as ideas for what a  possible Agile SAP landscape could look like.
  Thanks
  Tim

  Our team has been adopting some agile practices and have seen some great benefits. We have not embraced one methodology entirely (XP, Scrum, etc.).  We're taking bits and pieces that make sense in our environment and adopting them incrementally. 
  Here's an example of some of the things that we're doing:
  1.  Chunking out development tasks.  Basically working with the requirements or functionality that we know and not waiting until every possible scenario is clearly (or not so clearly) defined.  We try to get stakeholders (business users and BPx's) looking at our programs and prototypes often to ensure that we're on the right track.  This chunking out of tasks has been a benefit in that it is easier to manage (from a manager and developer perspective) and it gives us clearly definable goals for what we're shooting for in a fixed time frame (1 week).  We talk individually every day (short spinarounds) to ensure that we're on track and identify any potential risks.
  2.  Modeling of requirements.  This proves extremely valuable to our developers, functional folks, and business users.  This usually involves grabbing a couple of folks and whiteboarding ideas to ensure that everybody has a clear understanding of what is going on.  I will admit that this  we certainly don't do it as much as we should, but it's something that we're working on doing as much as we can.
  3.  Frequent builds/migration.  We currently transport released changes to test every 30 minutes in the ABAP stack.  This allows us as developers to move on to the next task and allows our testers a quicker turnaround of bug fixes and new functionality.  We move production code twice a week.  For the JAVA side, we do a "JIT" build/deployment.  As fixes need to be migrated, we check in/build and deploy.  Since the NWDI is still new to us, we haven't done much investigation on automating this process, but I imagine that we will do so in the future.
  One of the challenges that we ran into was thinking that the code was the only thing that matters (which you might get from some agile camps).  Just because you're modeling and documenting (just enough documentation), does not mean that you're not "agile".  You don't throw out design and analysis just so you can sit down and write code to have something to show somebody.  The collaboration and clarity that agile practices provide is one of the keys to making it successful.
  We started implementing some of these practices in the development group about 8 months ago and since then we've seen some interest/adoption in our project management group and functional teams.  I would imagine that we'll continue to pick and choose practices that work for us...try some out, see what happens, adapt, evolve, etc.  So far so good in my opinion.  From a managment perspective, it really has made it easy to know what people are working on and how productive we can be as a group.  From a developer's perspective, it makes development easier and more fun when you have a clear target in front of you and you can throw out ideas in a modeling session.  From the end user perspective, they seem to like that we can roll out production ready functionality in an incremental way so they don't have to wait 6 months to get something that they can see and use.  From my limited experience, it seems to be a much better way to develop applications.

• Weblogic.developer.interest.security has moved!

  This newsgroup has been relocated. Going forward, please use the weblogic.developer.interest.security newsgroup, which will be located in the [url http://forums.bea.com/category.jspa?categoryID=2004]WebLogic Server/Java EE Newsgroups folder, located at:
  http://forums.bea.com/category.jspa?categoryID=2004

  Pls mention the WLS version & service pack level
            Kumar
            Kevin wrote:
            > Has anyone seen this nasty error before. It is killing my server and Idon't yet know why I get it.Tue Jun 26 19:10:52 CST 2001:<E> <ServletContext-General> Servlet failed with Exceptionjava.lang.ArrayIndexOutOfBoundsException: 7743536at weblogic.servlet.jsp.JspBase.service(Compiled Code)at weblogic.servlet.internal.ServletStubImpl.invokeServlet(Compiled Code)at weblogic.servlet.internal.ServletStubImpl.invokeServlet(Compiled Code)at weblogic.servlet.internal.ServletContextImpl.invokeServlet(Compiled Code)at weblogic.servlet.internal.ServletContextImpl.invokeServlet(Compiled Code)at weblogic.servlet.internal.ServletContextManager.invokeServlet(Compiled Code)at weblogic.socket.MuxableSocketHTTP.invokeServlet(Compiled Code)at weblogic.socket.MuxableSocketHTTP.execute(Compiled Code)at weblogic.kernel.ExecuteThread.run(Compiled Code)
            

• An open source framework for agile development with Sites

  I am happy to announce the release of a new open source framework for sites development: AgileSites 1.0.0.beta1.
  AgileSites is an open source framework built using standard and documented Sites API provinding a number of features meant to simplify development, mostly to make agile development and offshoring way easier and more manageable.
  Some of the features:
  - MVC with plain Java controller and pure HTML views
  - Templating done in jQuery style (like client-side javascript templating)
  - Integrated unit testing and build system
  - Integrated csdt so everything is source and can be stored in Git or Subversion and rebuilt with jenkins in minutes
  - Hot reloading of java classes, including the url assembler - you code in java without restarting the application server
  - Single jar deployment - all your site code is in a jar that can be easily tracked and moved around
  - A simplified API layer built on top of standard tag assets making development a breeze
  - Complete and unlimited access to the full Sites API
  - Keeps the JSP structure so the framework can be added to another site using JSP
  AgileSites is available in his own dedicated site: www.AgileSites.org with a video showing his capabilites.

  The framework is completely following WebCenter Sites standard. It is built on top of JSP and Java using only documented API and standard Java libraries. It is not different than any other site implementation. It is basically a pre-built site to make easier applying agile development practices. It is as supported by Oracle as any other custom website implementation on top of Sites.

• New LabHSM Toolkit - Agile development of complex event-driven maintainable LabVIEW applications with active objects / actors based on a universal Hierarchical State Machine / statechart template.

  Dear Fellow LabVIEW programmers:
  Most of the systems you deal with are reactive. It means that their
  primary function is constant interaction with their environment by
  sending and receiving events. But most likely, they can have something
  happening inside them too, even when they are not processing messages
  received from outside. So, such systems have to continuosly react to
  external and internal stimuli. Right? Moreover, most likely, they
  consist of subsystems that are reactive too and, in turn, can have
  their own "life", to an extent independent from other parts (with
  which they still communicate, of course). Reactive (event-driven)
  systems are more naturally modeled with active objects. So, why then
  should we try to model and code them with GOOP and its passive
  ("dead"!) objects?
  "Flat" State Machines have been known for decades to have severe
  limitations. It's been more than 20 years since Dr. Harel invented
  Hierarchical State Machines (statecharts) to fight those limitations.
  Then why does NI still tout the same old good Moore FSM as the
  ultimate tool for event-driven programming in LabVIEW in its $995
  State Diagram KIt?
  The LabHSM toolkit we are happy to present, makes it possible to
  easily create and then maintain complex event-driven applications in
  LabVIEW as a collection of HSM-driven active object VIs using a higher
  level of abstraction and agile software development methodologies.
  These active object VIs are created based on a universal Hierarchical
  State Machine ( HSM or statechart ) template. So. all your code looks
  similar regardless of its functionality!
  We all love just jump to code, right? However, to be good boys, we
  need to do design first. Then implement it in code. If the logic is
  modified we need to redo the design first and then redo the code. When
  using LabHSM where behavior information is abstracted into a separate
  HSM data file editable with a supplied editor, there is no need for
  coding separate from design any more. The modified behavior becomes
  code automatically as soon as the HSM file is saved. Design is code!
  The implementation basically follows Dr. Samek's Quantum Programming
  paradigm. (see http://www.quantum-leaps.com). However, as already
  mentioned, LabHSM stores the behavior information in a file separate
  from the code itself. It also adds state dependent priorities to
  events, a separate queue for public events/messages, and, of course,
  some LabVIEW specific code like capturing front panel user events and
  putting them into the private Events queue. Communication and
  instantiation functions are also rather specific for LabVIEW.
  It is available for UNLIMITED PERIOD trial. Please visit
  http://www.labhsm.com for details and download. The site also contains
  references which you may want to check to learn more about
  hierarchical state machines and active object computing.
  Since this is our debut we will appreciate any comments and
  suggestions. Our contact information is available on our site, of
  course.
  Have a G'day!

  Symtx is currently hiring the following position. Please contact me if interested.
  Amy Cable
  Symtx, HR
  [email protected]
  Symtx, the leading supplier of functional test equipment, hires the brightest & most talented engineering professionals to design & manufacture complex custom electronic systems for advanced technology leaders in the defense, aerospace, communications, medical, transportation & semiconductor industries. Symtx’ challenging & dynamic work environment seeks to fill openings with highly qualified electronic engineering design professionals.The ideal candidate will be responsible for defining the requirements, software design and code development, and integration of test control software for custom functional test systems. Candidate should be familiar with data acquisition concepts, instrument control, complex test, measurement and calibration algorithm development and definition and implementation of control interfaces to hardware. Prefer familiarity with instrument control via GPIB, VXI, MXI, RS-232 desirable. Requires BS/MSEE and 3 -7+ yrs of experience in one or several of the following test applications in a Windows NT/2000/XP environment using Labwindows CVI, TestStand, Labview, Visual Basic, C++ and knowledge of RF systems is a plus. Job responsibilities will include software design, development, integration, team leadership, and interfacing with customers( includes PDR’s & CDR’s).

• Developer 10g - Security Setting do not allow Websites to user Active X

  Hi
  I am Salman
  I Install Developer 10g (10.1.2.0.2) on Windows Vista 32 Bit
  I make a Test Form and Run through IE 7, following error generate:
  "Your Security Setting do not allow websites to user Active X controls installed on your computer. This page may not display correctly"
  What will be the solution ?
  Can any one guide me in this regard
  My ID is [email protected]
  Salman

  change the following browser setting:
  Tool > Internet Options > Advanced > Security: Allow active content to run files on my computer.
  Checking this box may resolve your issue but be weary that fi you use your pc for internet then it will also allow external Active X content to run on your pc too.

• Structuring Help for Many Apps and Agile Development

  Hi Guys
  I am starting to evaluate RH9 (with server) and am lookign for seom advice on structuring help.
  We produce a management information system, which comprises 17 apps.
  We have major release versions: e.g. 4.9, 5.0 and then sub builds (e,g. 4.9.0.23)
  Most sub builds contain new features that require documentation. We do agile dev, so we are producing new builds every few weeks. This means we can't just produce documentation for major releases (e.g. v4 and v5). This is waht we do right now, but it means it's always out of date
  My initial project is to setup the master pages and css and import the Word manuals into RH and do any necessary cleanup. We will initially publish web help and "printed" (PDF) documentation from this, but eventually want to link into our applications (initially on the help menu and them adding context sensitive help).
  So if a user is running 5.0.0.23 of Inventory Management and goes to the help menu, I want them to be able to get to the documentation for that specific build.
  So, from a documentation point of view, how do I manage all of this?
  Do I put it all under one project or one project per app or per major version or build? My main concern is that we can literraly have 100's of different builds in use by customers, so if we change the documentation for feature X, all users on relevent builds get the updated documentation.
  We are keen to get user feedback and improve areas that require improvement, so let's say a user says the documentation for setting up warehouse locations is not very good. This feature has been around since version 1.0, so we want to update it's documentation and have it available to all current versions (4.x and 5.x). Is there a way to setup the documentation such that I can flag parts of it to specific versions. Using the above example, I want users on all versions and all builds to get the updated version; however, if we change the way locations are managed in 5.0.0.23, how do I ensure that everyone on 5.0.0.22 and below gets version A and everyone on 5.0.0.23 and above gets version B? Clearly, I don't want an entire project for each build (e.g. 5.0.0.23); otherwise, I'd have to make the smae update dozens of times if it's documentation on an existing feature .
  One other thing to consider: related topics can be in other apps. For example in App 1, a related topic might be something in App 2.
  Any pointers greatfully appreciated
  Regards
  Mark

  What you describe is similar to what we are doing currently, with a few notable exceptions. Two of us maintain a large number of online user's guides that are published both as Webhelp (25 projects merged into one parent help system) and as standalone .docx and .pdf files. We are also using Agile. Our company offers two or three major releases per year (2011.1, 2011.2, 2011.3) with one or two patch releases for each major release (2011.1.1, 2011.1.2, etc).
  Our customers also use different versions--some are still on last year's release (possibly earlier), while others install the latest version as soon as it's available.
  A few things you may want to consider:
  1. We've had limited success importing Word documents directly into Robohelp--the HTML invariably gets screwed up with a bunch of extra codes from Microsoft. We've found we have better control over the help files if we simply copy the Word text to Notepad and then copy and paste the stripped-down text to Robohelp, where we create topics, apply styles, insert hyperlink, and import images. This method of converting text from Word to RH takes longer initially, but seems to work better in the longer term, especially if the original document had nested lists or complex tables. FWIW, doing the conversion is relatively mindless work--the kind of task that is great to do at the end of a long week when your mind is numb from writing.
  2. The start pages for each of our 25 projects are linked to their corresponding modules in the software (users can click the Help icon or press F1 to see the online help for the module or to access the entire help system). However, we do not offer true context-sensitive help.
  3. We use the same source control system that is used by our software developers and check our Robohelp files into the same mainline code branch--this means that up-to-date documentation accompanies each release from mainline. Typically, we do not update the help files in our patch branches, since this would mean duplicate work (after updating the help in the patch branch, we'd have to make the same updates to the mainline branch). Instead, we use release notes to document any user interface or functional changes in patch releases. That said, the majority of our patch branches are for bug fixes, not enhancements, so they require only limited changes to the help.
  4. Our entire help system is automatically generated during our nightly software build using the RHCL batch command. When customers install a new release of our software, the latest help files are automatically written to their computers.
  5. After major releases only, we generate a revised Word/PDF file for each project and post those files on our customer support portal. Other than that, we make no attempt to provide improved documentation to customers who are using downlevel software. That is, if we need to rewrite the basic instructions for some task, we update the mainline branch for use with the next software release and all subsequent releases. I guess we figure that if our customers are interested in the latest and greatest instructions, they should spring for the cost of a software upgrade.

• Software Developer / Cyber Security

  Moderator edit - content deleted, not in accordance with forum guidelines.
  zantzz - your interest is appreciated, but this forum is not the appropriate place for your request. Tom K.
  Closed.

  From what I read Verzion's suite is McAfee "powered" and opinions are certainly mixed. For win 7 I use Microsoft Security Essentials, Windows Firewall and Malwarebytes Anti Malware (free edition). For Spam protection I use what is built into Zohomail (Free edition). I average 1 or 2 detected viruses per month from MSE and run a full manual scan with malwarebytes monthly.  
  If a forum member gives an answer you like, please give them the Kudos they deserve. If a member gives you the answer to your question, mark the answer as Accepted Solution so others can see the solution to the problem. Thanks !!!
  http://forums.verizon.com/t5/Verizon-net-Email/Fix-for-Missing-Inbox-sent-folders-etc-with-Internet-Explorer-11/m-p/647399

• Developing a secure desktop sharing application using AIR

  Hi all,
  I am developing a remote support tool like TeamViewer, using AIR.
  So far I managed to implement chat, file sharing etc. However, could not find any API in Adobe AIR to provide Screen Sharing or Remote Support. Can anyone suggest any techniques to achieve the same in Adobe AIR?
  Many thanks!

  I just came across an article discussing how to use Flash Media Server to create a basic IM application with Adobe AIR.  It then mentions audio/video streaming communication - it might be a possible route to take, I haven't really looked in to it at all.
  http://www.adobe.com/devnet/flashmediaserver/articles/first_im_app_05.html
  Looking at the capabilities of the Flash Media Server itself might shed more light on the issue.  I believe it would require the AIR app to be built using Flex though.

• Need elp in developing a security system.

  hi all,
  My problem is that i have to create a security system for my webservices. So i have gone trough many apis of java. My doubt is if i use these apis and send my encrypted xml to client who uses .Net system is it possible for decrypt those xml. please suggest some good api for webservice security.
  regards richard

  SSL/TLS using JSSE.

• JSP development and security issue

  I saw several "serious integrations" and also some postings
  here which are suggesting to put a jsp in /public_html directory...
  Be aware, that nothing will prevent a user from uploading
  a new jsp to this location and then executing it from a
  remotely client, which can seriously damage your system!

  Correction: I made an assumption that "/public_html"
  has (in the many cases) write access, since people are posting
  files in this public access directory...

• How can I turn off the WLS 6.1 security in order to develop my own application-based security module?

  Dear Colleagues,
  I am currently developing a J2EE application using WLS 6.1.
  My team and I have to implement a security requirement to suit our company's needs.
  The security requirements are that, users' password need to be aged (30 days maximum) and we need to provided a GUI front-end (JSP) to allow users to change their password when these expire after 30 days.
  Our internal contacts in the company, have already taken the lead to find out about whether we will be able to use the WLS 6.1 platform to do this and the answer we got back, was.
  Now we need to develop our own security module.
  I have 2 questions:
  1. How can we turn off the WLS security in order develop our own application-based security module?
  2. How can we develop a security module that allows us to age users' password and provide them with facilities to change their passwords when these expire?
  At the moment, we are using the default BEA WebLogic login.jsp page and there some configuration in the web.xml for this. I will be grateful if you could advise me on how to turn this default security off so that we can write our own security module.

  hi,
  1.You can write your own realm in 61 which can plugged for your security
  calls.
  2. once you write your ownrealm.. you can access it through weblogic
  api/ur api..
  thanks
  kiran
  "Richard Koudry" <[email protected]> wrote in message
  news:3dd0d081$[email protected]..
  Dear Colleagues,
  I am currently developing a J2EE application using WLS 6.1.
  My team and I have to implement a security requirement to suit ourcompany's needs.
  >
  The security requirements are that, users' password need to be aged (30days maximum) and we need to provided a GUI front-end (JSP) to allow users
  to change their password when these expire after 30 days.
  >
  Our internal contacts in the company, have already taken the lead to findout about whether we will be able to use the WLS 6.1 platform to do this and
  the answer we got back, was.
  >
  Now we need to develop our own security module.
  I have 2 questions:
  1. How can we turn off the WLS security in order develop our ownapplication-based security module?
  >
  2. How can we develop a security module that allows us to age users'password and provide them with facilities to change their passwords when
  these expire?
  >
  At the moment, we are using the default BEA WebLogic login.jsp page andthere some configuration in the web.xml for this. I will be grateful if you
  could advise me on how to turn this default security off so that we can
  write our own security module.

• Guide to developing SECURE TOMCAT/JSP web apps - ??

  Hi,
  It would be very useful to have a checklist or guidelines to ensure a JSP/tomcat web site one develops is secure, in particular for the scenario where the web application is not huge/complex &/or is developed by part-time developers. That is I guess I'm generally asking for the easiest way of ensuring one develops a secure JSP/tomcat app.
  Q1 - Does anyone know of a tutorial/checklist for ensuring a JSP/tomcat web app is secure? The types of things I'm thinking of include the following items, which I've put forward as specific questions to the mail group in their own right.
  Q2 - How do you ensure directory's under doc root can't be viewed? (ie users see a directory listings)
       - is putting in an index.html in each sub-directory a solid answer?
       - can this be handled in one hit via WEB.XML entries? if so an example if possible?
  Above and beyond basic User Authentication checking (eg username/password check at beginning of session) what is an easy but secure way of checking -:
  Q3 check that user (ie specific) is allowed to access a specific JSP page? (assuming the web app is a totally JSP based solution, ie no controller servlet frontend, ie and that all JSP pages are effectively assessable under docroot). Easy way of doing this?
       eg (a) put specific check at beginning of each JSP page?
       (b) other?
  and
  Q4 given that a user is allowed to access that JSP page, check that he is allowed to view the data which he has requested? (ie stop people determining how the URL with parameters is constructed and manually changing the parameters - eg changing "http://www.test/test.jsp?id=3", manually "http://www.test/test.jsp?id=4". Easy way of doing this?
       eg (a) put specific check at beginning of JSP page?
       (b) other
  Q5 Is it generally acceptable, given appropriate precautions are taken, to setup a web site with all JSP files assessable under doc root, and that the manner in which the user navigates around the application is based on direct calls from the browser to the next JSP page with parameters? (again one concern I have is eg changing "http://www.test/test.jsp?id=3", manually "http://www.test/test.jsp?id=4"). If this is not acceptable what is recommended?
       (a) as above put a specific check at the beginning of the JSP page
       (b) for example having to specifically put a controller servlet as a front end, and then direct to JSP pages which are hidden?
  - in this case how can one hide specific directories under doc root?
       (c) other??
  Q6. Regarding image security I assume one really does have to store them outside doc root and develop a small "getImage" servlet so that requests to images can be verified to ensure that (assuming the app lets users load images) the end user can't see another user's image?
  Q7. Any other general checklist items for a simple JSP/tomcat web site re security one should check for???
  Thanks in Advance
  Greg

  Have you ever looked at the Jakarta struts framework for developing web apps? You could then incorporate your custom designed security both into your own extension of the controller servlet (check if particular user has access to certain pages / actions). You can also design your own custom tags which determine whether a particular user has access to certain parts of the page. You cal also perform additional checks in the actions, to ensure that the user does have access to certain actions (i.e. checking parameters etc.)

• Urgent Requirement : Java Web Developer with Websphere Portal : CA

  The Strategic Technologies Software Engineer - Advanced
  Job Title – Software Engineer - Advanced
  Location : CA
  Description:
  •     This Advanced Web Developer position will be a development team that is enhancing the feature set on the corporate intranet, IBM portal based system.
  •     Responsible for designing, developing and unit test components in a highly iterative and agile manner.
  •     Responsible for Design and Development of JSR168 portlets, servlets, JSPs and deploying the same to IBM WebSphere Environment. Ability to understand Themes, Personalization, SSO and integrate portlets.
  •     Responsible for writing Data access components using plain Java/JDBC and as well as using technologies like Spring and Hibernate
  •     Ability to quickly learn and come up to speed in a new environment and follow standards.
  •     Aside from solid web development skills, the candidate filling this position must have experience with test driven develop (TDD) techniques and have the demeanor and communication skills required for pair programming.
  •     Responsible for coordinating with team members to achieve desired results and possible mentoring of Junior programmers whenever there is a need.
  •     Proactively identifying issues in the development and bring up the same to the attention of tech lead or management attention at the very early stages. Ability to learn from team mates and solving issues quickly with the help of more knowledgeable team mates in that technology
  •     Strong experience in JSR 168 compliant, portlet design and development, preferably in a IBM portal environment – 2 to 4 years
  •     Strong experience with Java, J2EE web application design, development of servlets, jsps, JSTL and good understanding of MVC framework – minimum 4 years
  •     Strong experience in coding unit tests with JUNIT
  •     Experience with Javascript , html, XML and CSS in support of web application development
  •     Experience with design and development of data access component in Java with SQL knowledge
  •     Experience using IDEs like Eclipse , RAD and application servers like IBM Websphere Application Server
  •     Must have good communication skills both verbally and in written form and the ability to work independently with minimal guidance and as a member of a team. Education: A computer science college degree or equivalent experience.
  Must have:
  •     8 years Java web development skills and excellent understanding of object-oriented analysis / design / programming.
  5 years:
  •     Deep understanding of web application design / web security
  •     Good understanding of Model-View controller distributed architectures.
  •     Experience with Websphere Studio Application Developer (Eclipse)
  •     Experience with Service Oriented Architecture (SOA)
  •     OO Analysis and Design experience.
  •     Experience with the scrum agile development methodology, including TDD and JUNIT.
  Hands-on experience with IBM's Websphere Portal is required.
  If it interest you, please send your updated resume with your contact details ASAP at [email protected].
  Regards,
  Ejaz
  Symphony Enterprises LLC
  412-250-7227 (Tel) | 412-774-9230 (Fax)
  IT Staffing | Training |
  VERTICALS | Banking, Finance, Insurance | Healthcare | Manufacturing | Retail & Distribution
  [email protected] | www.symphonyenterprises.com
  WMBE & NWBE Certified Company
  A Member of Women's Business Enterprise National Council (WBENC)
  and National Association of Women Business Owners (NAWBO)

  I'm getting the same error on WebSphere 6.1.5. Is there any solution for this?

• Best Practice for Securing Web Services in the BPEL Workflow

  What is the best practice for securing web services which are part of a larger service (a business process) and are defined through BPEL?
  They are all deployed on the same oracle application server.
  Defining agent for each?
  Gateway for all?
  BPEL security extension?
  The top level service that is defined as business process is secure itself through OWSM and username and passwords, but what is the best practice for security establishment for each low level services?
  Regards
  Farbod

  It doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
  The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
  Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
  If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
  Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
  You can enforce rules at your network layer to allow access to the App server only from Gateway.
  When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
  The next BPEL developer in your project may not be aware of Security extensions
  Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
  Thanks
  Ram