http://www.lustratusrepama.com/litebytes/soa/soa-security-exposure/ The Lustratus Research blog - thought leadership in SOA, Cloud Computing and Infrastructure Software Tue, 15 Jun 2010 17:14:12 +0100 http://wordpress.org/?v=2.9.2 hourly 1 http://www.lustratusrepama.com/litebytes/soa/soa-security-exposure/comment-page-1/#comment-57 Steve Craggs Thu, 05 Jul 2007 09:43:52 +0000 http://www.lustratusrepama.com/litebytes/uncategorized/soa-security-exposure/#comment-57 Agreed, Anil. and thanks for the information. My point is that I think people are using SOA without realising that they need to make sure the appropriate security measures and configurations are in place. Steve Agreed, Anil.
and thanks for the information.
My point is that I think people are using SOA without realising that they need to make sure the appropriate security measures and configurations are in place.
Steve

]]> http://www.lustratusrepama.com/litebytes/soa/soa-security-exposure/comment-page-1/#comment-56 Anil John Wed, 04 Jul 2007 22:02:07 +0000 http://www.lustratusrepama.com/litebytes/uncategorized/soa-security-exposure/#comment-56 Defending against schema poisoning attacks, as you noted, as well as XML DoS attacks are precisely how a properly configured XML Security Gateway deployed as a centralized Policy Enforcement Point in your perimeter network should be used. Defending against schema poisoning attacks, as you noted, as well as XML DoS attacks are precisely how a properly configured XML Security Gateway deployed as a centralized Policy Enforcement Point in your perimeter network should be used.

]]> http://www.lustratusrepama.com/litebytes/soa/soa-security-exposure/comment-page-1/#comment-55 Ronan Bradley Thu, 07 Jun 2007 14:09:17 +0000 http://www.lustratusrepama.com/litebytes/uncategorized/soa-security-exposure/#comment-55 Steve raised an interesting point - most discussion around XML on the network focuses on the problem of network overloading due to the typically larger size of XML messages. In comparison, security issues such as the risk of DoS have been (relatively) ignored. The lack of general interest in the problem can be seen in the repositioning of most of the XML firewall vendors into XML acceleration (Vordel – www.vordel.com being one notable exception). The first question is why has it been ignored? Clearly the existence of XML firewall products shows it hasn’t been entirely ignored and a quick search throws up some discussion of the issues (http://lists.xml.org/archives/xml-dev/200508/msg00150.html) but it has never really made it into mainstream thinking. I suspect that this partly related to the close connection between html and XML which leads people to assume that if you cover one, you cover the other one as well. While the risk can be dealt with by taking each incoming document and validating it against well-defined schemas that do not allow rogue documents capable of infinite recursion. However, the complexity inherent in many XML schema (take a look at XBRL for financial reporting or FpML for financial derivatives) inevitably increases the chance of deficiencies in the schema definitions (assuming that the schema designer was even aware of the risk in the first place). The second question is does it matter? I suspect that the main defence at the moment is probably ignorance – which as any security consultant will tell you - is no defence. And as SOA drives up the number of XML messages being sent around the enterprise the level of exposure is likely to increase. The solution is really two-fold: Implement good policy around schema definition and enforce good policy around document validation. Ronan Steve raised an interesting point – most discussion around XML on the network focuses on the problem of network overloading due to the typically larger size of XML messages. In comparison, security issues such as the risk of DoS have been (relatively) ignored. The lack of general interest in the problem can be seen in the repositioning of most of the XML firewall vendors into XML acceleration (Vordel – http://www.vordel.com being one notable exception).
The first question is why has it been ignored? Clearly the existence of XML firewall products shows it hasn’t been entirely ignored and a quick search throws up some discussion of the issues (http://lists.xml.org/archives/xml-dev/200508/msg00150.html) but it has never really made it into mainstream thinking. I suspect that this partly related to the close connection between html and XML which leads people to assume that if you cover one, you cover the other one as well. While the risk can be dealt with by taking each incoming document and validating it against well-defined schemas that do not allow rogue documents capable of infinite recursion. However, the complexity inherent in many XML schema (take a look at XBRL for financial reporting or FpML for financial derivatives) inevitably increases the chance of deficiencies in the schema definitions (assuming that the schema designer was even aware of the risk in the first place).
The second question is does it matter? I suspect that the main defence at the moment is probably ignorance – which as any security consultant will tell you – is no defence. And as SOA drives up the number of XML messages being sent around the enterprise the level of exposure is likely to increase. The solution is really two-fold: Implement good policy around schema definition and enforce good policy around document validation.
Ronan

]]>