Treading the safe XML path

Creating a popular new computing approach always seems to bring with it a familiar catch-22: security issues. Web services--and XML--is no exception.
Written by Martin LaMonica, Contributor

Extensible Markup Language and XML-based protocols are rapidly becoming a common way for businesses to format and exchange corporate information. But even as those Web services technologies are becoming widespread, companies are not fully aware of the associated security vulnerabilities -- nor that most are not addressed by mainstream network protection systems, according to analysts.

"We think XML will introduce a few new dangers and reinvigorate a couple of old dangers," said John Pescatore, security analyst at research company Gartner. "Security people do have to understand the basic structures of Web services and the types of things that can go wrong."

Right now, the risks of malicious attacks on XML and Web services are relatively contained. Businesses typically have used Web services to connect internal applications and share information with a well-known network of business partners. Because these applications are used by trusted parties, the risk is mitigated.

However, once companies start using Web services and XML more extensively, they need to reconsider how they are exposing their data -- and to what, Gartner analyst Benoit Lheureux said. Infiltrating a corporate network by tapping into Web services interfaces is potentially more damaging than simply knocking out a Web site, because business-to-business applications expose valuable corporate information, he noted.

Typical security products, such as network firewalls or antivirus software, are designed to keep unwanted intruders from entering corporate networks or to prevent attacks that can disable a machine. Applications that send information via XML documents use the same Internet network protocols that traditional security products monitor.

But because XML messages are wrapped in the IP "envelope" that most firewalls are designed to track, corporate networks inspect the envelope but not the contents. Fraudulent XML messages could therefore enter corporate networks undetected, analysts said. Because these types of issues are relatively new, companies could be blindsided, if they do not fully appreciate the dangers.

"XML attacks are more insidious," said Randy Heffner, an analyst at Forrester Research. "There are ways, not fully understood, to attack an XML endpoint via the structure and content of the XML itself, aside from slamming it with too many messages."

One commonplace technique for bringing down a Web server is a distributed denial-of-service attack, which floods a server computer with a huge number of requests. The equivalent in XML applications is an XML denial-of-service attack, when a spike in incoming XML messages, which could be bogus, takes a network server out of commission. Malicious hackers also could manipulate the contents of XML documents to bog down a system, Heffner noted.

A growing threat
The rising use of XML in business networks creates a growing target for hackers, similar to what's happened with Web servers and Microsoft Exchange servers. Although some XML network risks are still theoretical, vulnerabilities are already being detected. For example, one security bulletin posted on security Web site SecurityFocus described an XML External Entity attack, which can exploit an incorrectly configured XML "parser," the software that processes incoming XML messages, to gain access to the network or bring it down.

Fortunately for corporate security experts, hackers have not begun targeting XML and Web services in earnest yet -- their use is still too limited to present a tempting target, and the skill level required to launch a malicious attack is high.

"Your average script kiddie in a black T-shirt in his basement is probably not hacking XML yet. You need to get a computer science degree to do that," said Chris Darby, chief executive of XML network company Sarvega and former CEO of security company @stake. "So, if there are attacks, they aren't very sophisticated."

Sarvega, one of several companies founded in the past few years to address XML security and performance, earlier this month entered the market with a new product line called Guardian Security.

Security gateway appliances, such as Sarvega XML Guardian Security Gateway, are designed to offload security tasks normally handled by other network gear or hardware servers. They process the encryption of XML files, enforce security policies authorising access and generate a log of network activities for auditing purposes, tracking potential hackers.

Other companies that sell appliances for faster XML processing and security include DataPower Technology, Forum Systems, Layer 7 Technologies, Reactivity, Vordel and Westbridge Technology.

One large agency in the Massachusetts purchased security gateways from DataPower to protect the state's back-end systems from possible intrusions via public-facing applications that use XML. The agency is using XML documents and the Simple Object Access Protocol (SOAP), an XML-based communications protocol, to share information between different systems, including a public-facing Web site.

"Since this system passes sensitive information, we felt we needed a product that could filter XML messages," said a security expert at the agency, who requested anonymity. The agency went with an XML-specific network gateway, because most existing firewalls do not inspect SOAP messages, he said.

Urge to merge
Eventually, XML-aware networking capabilities will be integrated into devices from well-established networking infrastructure companies such as Cisco Systems and Juniper Networks, said Abner Germanow, an analyst at IDC. He expects many of the smaller networking companies with specialised XML skills to be acquired by larger players.

Web services standards groups are grappling with the security issue as well. The Web Services Security specification, for authorising network access, is going through the final stages of ratification at the Organization for the Advancement of Structured Information Standards. Separately, the Web Services Interoperability organisation is planning to provide an initial draft of guidelines on how to implement various XML-based security standards.

Analysts expect stabler standards to make Web services applications more viable for corporations, but the added complexity of many interdependent standards, such as security and business workflow, could also create more security loopholes, experts said.

"Complexity in and of itself is generally prejudicial to security," said Tim Bray, one of the co-inventors of XML and now a technical director at Sun Microsystems' software group.

Analysts said companies committing to XML and Web services should investigate specialised products and beef up their security skills to better understand the risks. For example, security experts should learn more about how to validate Web Services Description Language, a protocol that describes what a given XML application does. Companies can also use existing security techniques, such as Secure Sockets Layer, to address some security issues.

As XML becomes more pervasive, many companies may already have more risks than they are aware of. Many packaged applications, such as Microsoft Office 2003 or Oracle software, use Web services extensively, noted Gartner's Pescatore.

"Three years from now, all the edge firewalls will be processing Web services connections like every other connection," Pescatore said. "The problem is, most enterprises are not even thinking about this."

Editorial standards