Extensible Markup Language and XML-based protocols are rapidly becoming a
common way for businesses to format and exchange corporate information. But even
as those Web services technologies are becoming widespread, companies are not
fully aware of the associated security vulnerabilities -- nor that most are not
addressed by mainstream network protection systems, according to analysts.
"We think XML will introduce a few new dangers and reinvigorate a couple of
old dangers," said John Pescatore, security analyst at research company Gartner.
"Security people do have to understand the basic structures of Web services and
the types of things that can go wrong."
Right now, the risks of malicious attacks on XML and Web services are
relatively contained. Businesses typically have used Web services to connect
internal applications and share information with a well-known network of
business partners. Because these applications are used by trusted parties, the
risk is mitigated.
However, once companies start using Web services and XML more extensively,
they need to reconsider how they are exposing their data -- and to what, Gartner
analyst Benoit Lheureux said. Infiltrating a corporate network by tapping into
Web services interfaces is potentially more damaging than simply knocking out a
Web site, because business-to-business applications expose valuable corporate
information, he noted.
Typical security products, such as network firewalls or antivirus software,
are designed to keep unwanted intruders from entering corporate networks or to
prevent attacks that can disable a machine. Applications that send information
via XML documents use the same Internet network protocols that traditional
security products monitor.
But because XML messages are wrapped in the IP "envelope" that most firewalls
are designed to track, corporate networks inspect the envelope but not the
contents. Fraudulent XML messages could therefore enter corporate networks
undetected, analysts said. Because these types of issues are relatively new,
companies could be blindsided, if they do not fully appreciate the dangers.
"XML attacks are more insidious," said Randy Heffner, an analyst at Forrester
Research. "There are ways, not fully understood, to attack an XML endpoint via
the structure and content of the XML itself, aside from slamming it with too
One commonplace technique for bringing down a Web server is a distributed
denial-of-service attack, which floods a server computer with a huge number of
requests. The equivalent in XML applications is an XML denial-of-service attack,
when a spike in incoming XML messages, which could be bogus, takes a network
server out of commission. Malicious hackers also could manipulate the contents
of XML documents to bog down a system, Heffner noted.
A growing threat
The rising use of XML in business networks
creates a growing target for hackers, similar to what's happened with Web
servers and Microsoft Exchange servers. Although some XML network risks are
still theoretical, vulnerabilities are already being detected. For example, one
security bulletin posted on security Web site SecurityFocus described an XML
External Entity attack, which can exploit an incorrectly configured XML
"parser," the software that processes incoming XML messages, to gain access to
the network or bring it down.
Fortunately for corporate security experts, hackers have not begun targeting
XML and Web services in earnest yet -- their use is still too limited to present
a tempting target, and the skill level required to launch a malicious attack is
"Your average script kiddie in a black T-shirt in his basement is probably
not hacking XML yet. You need to get a computer science degree to do that," said
Chris Darby, chief executive of XML network company Sarvega and former CEO of
security company @stake. "So, if there are attacks, they aren't very
Sarvega, one of several companies founded in the past few years to address
XML security and performance, earlier this month entered the market with a new
product line called Guardian Security.
Security gateway appliances, such as Sarvega XML Guardian Security Gateway,
are designed to offload security tasks normally handled by other network gear or
hardware servers. They process the encryption of XML files, enforce security
policies authorising access and generate a log of network activities for
auditing purposes, tracking potential hackers.
Other companies that sell appliances for faster XML processing and security
include DataPower Technology, Forum Systems, Layer 7 Technologies, Reactivity,
Vordel and Westbridge Technology.
One large agency in the Massachusetts purchased security gateways from
DataPower to protect the state's back-end systems from possible intrusions via
public-facing applications that use XML. The agency is using XML documents and
the Simple Object Access Protocol (SOAP), an XML-based communications protocol,
to share information between different systems, including a public-facing Web
"Since this system passes sensitive information, we felt we needed a product
that could filter XML messages," said a security expert at the agency, who
requested anonymity. The agency went with an XML-specific network gateway,
because most existing firewalls do not inspect SOAP messages, he said.
Urge to merge
Eventually, XML-aware networking capabilities will
be integrated into devices from well-established networking infrastructure
companies such as Cisco Systems and Juniper Networks, said Abner Germanow, an
analyst at IDC. He expects many of the smaller networking companies with
specialised XML skills to be acquired by larger players.
Web services standards groups are grappling with the security issue as well.
The Web Services Security specification, for authorising network access, is
going through the final stages of ratification at the Organization for the Advancement
of Structured Information Standards. Separately, the Web Services
Interoperability organisation is planning to provide an initial draft of
guidelines on how to implement various XML-based security standards.
Analysts expect stabler standards to make Web services applications more
viable for corporations, but the added complexity of many interdependent
standards, such as security and business workflow, could also create more
security loopholes, experts said.
"Complexity in and of itself is generally prejudicial to security," said Tim
Bray, one of the co-inventors of XML and now a technical director at Sun
Microsystems' software group.
Analysts said companies committing to XML and Web services should investigate
specialised products and beef up their security skills to better understand the
risks. For example, security experts should learn more about how to validate Web
Services Description Language, a protocol that describes what a given XML
application does. Companies can also use existing security techniques, such as
Secure Sockets Layer, to address some security issues.
As XML becomes more pervasive, many companies may already have more risks
than they are aware of. Many packaged applications, such as Microsoft Office
2003 or Oracle software, use Web services extensively, noted Gartner's
"Three years from now, all the edge firewalls will be processing Web services
connections like every other connection," Pescatore said. "The problem is, most
enterprises are not even thinking about this."