Securing XML

Security products to protect Web services are hitting the market as managers at corporations and agencies realize that Extensible Markup Language (XML), the standard file format for sharing information in Web services, is susceptible to attacks and viruses.

Although Web services offer agencies a flexible, plug-and-play architecture in which networked components work collectively, communications among those components open new security risks not covered by existing security safeguards. For instance, Web services can be hit by attacks that overwhelm the system's processing capabilities, or attackers can install malicious code in XML-based documents.

Like their corporate counterparts, agency managers adopted Web services before realizing the tools required a new level of security, said Barry Schaeffer, president of X.Systems Inc., a consulting firm and systems integrator that serves the public sector.

Many managers attempting "to translate content into XML tend to be functional managers [rather than security managers], so they don't think of security" first,

Schaeffer said. But that is changing as they become more aware of the risks associated with Web services, he added.

Consultants and officials at companies devoted to Web services security are raising managers' level of awareness. During the past few months, two companies have launched security products specifically designed to secure XML and Web services while another has enhanced an existing product focused on application security.

Several products built to secure XML that recently made their debut include Sarvega Inc.'s Guardian Gateway and Guardian Accelerator and Forum Systems Inc.'s XWall firewall for Web services .

Meanwhile, Teros Inc. introduced a new version of its application gateway last month that protects XML and HTML or Web applications.

Other companies targeting XML security include DataPower Technology Inc., which provides an XML accelerator and security gateway, and Reactivity Inc., which offers an XML firewall.

Competition in this arena is heating up, said Pete Lindstrom, research director at Spire Security LLC, a consulting firm based in Malvern, Pa.

Companies that specifically focus on XML, such as Sarvega, Forum Systems, DataPower and Reactivity, offer tools for evaluation and interrogation of data in addition to encryption, Lindstrom said.

Products from these companies can drill deeper into XML content than Teros' gateway. Teros' product, however, already protects Web application environments, so users of Web services who need both HTML and XML might opt for the Teros gateway, he added.

Teros' aim is to eliminate the need to deploy and manage a separate security infrastructure to protect Web services applications, said Greg Smith, the company's senior director of product marketing.

The Teros Secure Application Gateway has an adaptive learning engine that recognizes the XML messages and data types received by applications with Web Services Description Language interfaces.

After analyzing correct behavior, Teros Gateway recommends constraints on application inputs. For example, if a Web services port is only supposed to receive account numbers and some other type of a script is sent to the port, the submission can be blocked. This approach can prevent attackers from inserting malicious code that could compromise a Web service.

Teros officials designed Gateway to protect against buffer overflows, denial-of-service attacks and SQL injections in which an attacker manipulates SQL commands through a front-end browser to execute malicious actions on a back-end Microsoft Corp. SQL database.

The best place to establish XML security is at the gateway, said Schaeffer, whose company will use Sarvega's tool to help secure its government clients' Web services. "At this point, I haven't seen anything on the marketplace as targeted [on XML] as Sarvega," he said. XML security gateways can be placed behind the corporate firewall to perform deep inspection of XML traffic flowing into and out of an organization.

It's difficult to establish a secure application environment without the user

making massive changes. However, "it's possible to establish a relatively secure [environment] as soon as a [Sarvega] gateway is established" without making major changes, Schaeffer said.

Sarvega's Guardian Gateway, based on the company's XESOS Gauntlet architecture, protects against attacks directed against XML at the network, content and Web services levels. Guardian Accelerator speeds up the processing of XML digital signatures and Secure Sockets Layer

encryption.

There is overlap between XML gateways and Web application security gateways, so distinctions between the two could fade in the future as vendors attempt to offer more comprehensive security products for Web services, Lindstrom said.