XML messaging security under the gun

XML Developer Tip

Leigh Dodds, author of the XML-Deviant column at xml.com puts forward some interesting summary and analysis from the XML developer community in a recent column entitled "In a Lather About Security." What he has to say is important and potentially serious enough to be worth a brief recap here, but those of you who are interested in more detail should not only read his story, but follow his links to the original source materials as well.

SOAP is the Simple Object Access Protocol, an XML-based technology designed to pass messages between applications across a network. RPC stands for Remote Procedure Call, and represents a set of programmatic interfaces to let local applications request and reply to network access and services "as if they were local." REST stands for Representational State Transfer, a Web oriented set of transaction services that defines its own mechanisms to model and handle networked transactions of all kinds.

As Dodd's article points out, there's a raging debate in the XML developer community right now that while SOAP-RPC is a powerful and all-too-usable technology to bolt applications and services together across a network, it's fraught with potential security issues that could be problematic in many, many scary ways. The real kicker is that using SOAP-RPC essentially hides all kinds of potentially classified or confidential information inside the standard Web communications protocol, HTTP. This not only makes it possible to slip SOAP-RPC traffic through corporate firewalls (normally deliberately open for Web traffic on port 80) but lets developers bypass or ignore security safeguards at the same time.

REST on the other hand takes a much more formal and explicit notion of transaction modeling into account when modeling and implementing networked

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT XML Developer Use the soapUI software tool to tame WSDL WSDL 2.0, new messaging for Web services Using RELAX NG For data integration Efficient XML Interchange tackles data verbosity XML to DDL imports, synchronizes database schemata The basics of MathML 3.0 Migrating to XSLT 2.0 What's up with XML 2.0? Say hello to XPath 2.0 Podcasting software covers many bases XML and XML schema SOA pattern of the week (#7): policy centralization Try XML-based Extensible Business Reporting Language (XBRL) for accounting reports What's new at the W3C Ganymede: Modeling tools target SOA, UML Data services mashups emerge for SOA Making sense of data services mashups XML turns 10 SOA helps save 100-year-old business Oracle maps heterogeneous data services strategy for SOA Handling XML with Ajax XML National Weather Service policy supports XML XML and democracy at work: The Election Markup Language (EML) For interesting interface access, check out Xamlon Royalty-free, revolutionary UBL Altova strikes again with MapForce 2005 Beating the RSS crunch with aggregation/bloglines Voice, speech, SIP, and XML: ECMA-269 Microsoft Baseline Security Analyzer and XML An open source, native XML database: dbXML 2.0 Second-generation XML security preview: SAML

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary class diagram  (SearchSOA.com) Fast Infoset (FI)  (SearchSOA.com) GeoRSS  (SearchSOA.com) Keyhole Markup Language  (SearchSOA.com) RELAX NG  (SearchSOA.com) state diagram  (SearchSOA.com) Universal Business Language  (SearchSOA.com) Vector Markup Language  (SearchSOA.com) XML infoset  (SearchSOA.com) XML pipeline  (SearchSOA.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

communications. This makes it more straightforward and possible to build security concerns in from the ground up, and implies that this approach has a better chance of being secure. But like SOAP-RPC, while REST has the potential to offer enhanced security, it has no absolute requirements that security considerations be addressed in building and implementing transaction handling systems.

Dodds reports that Michael Brennan, of Allegis.com, says that issues likely to cause security problems in Web services are the same issues that cause such problems already (the following list is paraphrased from Brennan's original e-mail message). They include:

Ultimately, the real solution to these problems will come from training software architects and developers to "think security" from the very inception of their designs. It also means making security audits and testing part of standard software testing methodologies, and making sure that security issues are addressed when consumers go to vendors or service providers to purchase services, products, or information. Although these concerns address more than XML, they must become part and parcel of the way services are conceived, developed, and delivered. Because XML is key to development of future Web services, this debate must continue and be heeded within the XML community.

Have questions, comments, or feedback about this or other XML-related topics? Please e-mail me care of tips@searchwebservices.com. I'm always glad to hear from my readers.

About the Author

[IMAGE]Ed Tittel is a principal at LANWrights, Inc., a wholly owned subsidiary of LeapIt.com. LANWrights offers training, writing, and consulting services on Internet, networking, and Web topics (including XML and XHTML), plus various IT certifications (Microsoft, Sun/Java, and Prosoft/CIW).

For More Information

Rate this Tip To rate tips, you must be a member of SearchSOA.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.