XML messaging security under the gun

XML Developer Tip

Leigh Dodds, author of the XML-Deviant column at xml.com puts forward some interesting summary and analysis from the XML developer community in a recent column entitled "In a Lather About Security." What he has to say is important and potentially serious enough to be worth a brief recap here, but those of you who are interested in more detail should not only read his story, but follow his links to the original source materials as well.

SOAP is the Simple Object Access Protocol, an XML-based technology designed to pass messages between applications across a network. RPC stands for Remote Procedure Call, and represents a set of programmatic interfaces to let local applications request and reply to network access and services "as if they were local." REST stands for Representational State Transfer, a Web oriented set of transaction services that defines its own mechanisms to model and handle networked transactions of all kinds.

As Dodd's article points out, there's a raging debate in the XML developer community right now that while SOAP-RPC is a powerful and all-too-usable technology to bolt applications and services together across a network, it's fraught with potential security issues that could be problematic in many, many scary ways. The real kicker is that using SOAP-RPC essentially hides all kinds of potentially classified or confidential information inside the standard Web communications protocol, HTTP. This not only makes it possible to slip SOAP-RPC traffic through corporate firewalls (normally deliberately open for Web traffic on port 80) but lets developers bypass or ignore security safeguards at the same time.

REST on the other hand takes a much more formal and explicit notion of transaction modeling into account when modeling and implementing networked communications. This makes it more straightforward and possible to build security concerns in from the ground up, and implies that this approach has a better chance of being secure. But like SOAP-RPC, while REST has the potential to offer enhanced security, it has no absolute requirements that security considerations be addressed in building and implementing transaction handling systems.

Dodds reports that Michael Brennan, of Allegis.com, says that issues likely to cause security problems in Web services are the same issues that cause such problems already (the following list is paraphrased from Brennan's original e-mail message). They include:

1. Some developers who accept incoming data that arrives from the network at "face value" (without checks) thus opening themselves to attack, contamination, and compromise;
2. Some developers who still believe in "security through obscurity" (a na? assumption that if a service isn't advertised, it won't be noticed or attacked);
3. Developers who do not write code that takes precautions against sniffing or snooping (electronic eavesdropping), when insecure channels or methods are used for network communications);
4. Vendors who stress features and "first-to-market" in their products, without paying proper heed to security, to their own and their customers' detriment;
5. Vendors who promise to handle security matters for developers without putting their products through proper checks or testing;
6. Those who believe that simply installing and configuring a firewall confers absolute network security. Because of HTTP tunneling issues and other ways to make end runs through firewalls, this is sadly mistaken.

Ultimately, the real solution to these problems will come from training software architects and developers to "think security" from the very inception of their designs. It also means making security audits and testing part of standard software testing methodologies, and making sure that security issues are addressed when consumers go to vendors or service providers to purchase services, products, or information. Although these concerns address more than XML, they must become part and parcel of the way services are conceived, developed, and delivered. Because XML is key to development of future Web services, this debate must continue and be heeded within the XML community.

Have questions, comments, or feedback about this or other XML-related topics? Please e-mail me care of tips@searchwebservices.com. I'm always glad to hear from my readers.

About the Author

Ed Tittel is a principal at LANWrights, Inc., a wholly owned subsidiary of LeapIt.com. LANWrights offers training, writing, and consulting services on Internet, networking, and Web topics (including XML and XHTML), plus various IT certifications (Microsoft, Sun/Java, and Prosoft/CIW).

For More Information

• Need help with the latest industry acronyms and terms? Visit our helpful Glossary.
• Visit our Best Web Links for the best editor-selected XML resources on the Web.
• Post your technical questions, or help your peers in our Enterprise Developer Forums.
• Ask the Experts! Our Web Services, SOAP, WSDL, XML, .NET, Java and EAI gurus answer your toughest questions.

Rate this Tip To rate tips, you must be a member of SearchSOA.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT XML Developer Use the soapUI software tool to tame WSDL WSDL 2.0, new messaging for Web services Using RELAX NG For data integration Efficient XML Interchange tackles data verbosity XML to DDL imports, synchronizes database schemata The basics of MathML 3.0 Migrating to XSLT 2.0 What's up with XML 2.0? Say hello to XPath 2.0 Podcasting software covers many bases XML and XML schema What's the future of XML? SOA pattern of the week (#7): policy centralization Try XML-based Extensible Business Reporting Language (XBRL) for accounting reports What's new at the W3C Ganymede: Modeling tools target SOA, UML Data services mashups emerge for SOA Making sense of data services mashups XML turns 10 SOA helps save 100-year-old business Oracle maps heterogeneous data services strategy for SOA XML National Weather Service policy supports XML XML and democracy at work: The Election Markup Language (EML) For interesting interface access, check out Xamlon Royalty-free, revolutionary UBL Altova strikes again with MapForce 2005 Beating the RSS crunch with aggregation/bloglines Voice, speech, SIP, and XML: ECMA-269 Microsoft Baseline Security Analyzer and XML An open source, native XML database: dbXML 2.0 Second-generation XML security preview: SAML RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary class diagram  (SearchSOA.com) Fast Infoset (FI)  (SearchSOA.com) GeoRSS  (SearchSOA.com) Keyhole Markup Language  (SearchSOA.com) RELAX NG  (SearchSOA.com) state diagram  (SearchSOA.com) Universal Business Language  (SearchSOA.com) Vector Markup Language  (SearchSOA.com) XML infoset  (SearchSOA.com) XML pipeline  (SearchSOA.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.