Securing XML

Security products to protect Web services are hitting the market as managers at corporations and agencies realize that Extensible Markup Language (XML), the standard file format for sharing information in Web services, is susceptible to attacks and viruses.

Although Web services offer agencies a flexible, plug-and-play architecture in which networked components work collectively, communications among those components open new security risks not covered by existing security safeguards. For instance, Web services can be hit by attacks that overwhelm the system's processing capabilities, or attackers can install malicious code in XML-based documents.

Like their corporate counterparts, agency managers adopted Web services before realizing the tools required a new level of security, said Barry Schaeffer, president of X.Systems Inc., a consulting firm and systems integrator that serves the public sector.

Many managers attempting "to translate content into XML tend to be functional managers [rather than security managers], so they don't think of security" first,

Schaeffer said. But that is changing as they become more aware of the risks associated with Web services, he added.

Consultants and officials at companies devoted to Web services security are raising managers' level of awareness. During the past few months, two companies have launched security products specifically designed to secure XML and Web services while another has enhanced an existing product focused on application security.

Several products built to secure XML that recently made their debut include Sarvega Inc.'s Guardian Gateway and Guardian Accelerator and Forum Systems Inc.'s XWall firewall for Web services .

Meanwhile, Teros Inc. introduced a new version of its application gateway last month that protects XML and HTML or Web applications.

Other companies targeting XML security include DataPower Technology Inc., which provides an XML accelerator and security gateway, and Reactivity Inc., which offers an XML firewall.

Competition in this arena is heating up, said Pete Lindstrom, research director at Spire Security LLC, a consulting firm based in Malvern, Pa.

Companies that specifically focus on XML, such as Sarvega, Forum Systems, DataPower and Reactivity, offer tools for evaluation and interrogation of data in addition to encryption, Lindstrom said.

Products from these companies can drill deeper into XML content than Teros' gateway. Teros' product, however, already protects Web application environments, so users of Web services who need both HTML and XML might opt for the Teros gateway, he added.

Teros' aim is to eliminate the need to deploy and manage a separate security infrastructure to protect Web services applications, said Greg Smith, the company's senior director of product marketing.

The Teros Secure Application Gateway has an adaptive learning engine that recognizes the XML messages and data types received by applications with Web Services Description Language interfaces.

After analyzing correct behavior, Teros Gateway recommends constraints on application inputs. For example, if a Web services port is only supposed to receive account numbers and some other type of a script is sent to the port, the submission can be blocked. This approach can prevent attackers from inserting malicious code that could compromise a Web service.

Teros officials designed Gateway to protect against buffer overflows, denial-of-service attacks and SQL injections in which an attacker manipulates SQL commands through a front-end browser to execute malicious actions on a back-end Microsoft Corp. SQL database.

The best place to establish XML security is at the gateway, said Schaeffer, whose company will use Sarvega's tool to help secure its government clients' Web services. "At this point, I haven't seen anything on the marketplace as targeted [on XML] as Sarvega," he said. XML security gateways can be placed behind the corporate firewall to perform deep inspection of XML traffic flowing into and out of an organization.

It's difficult to establish a secure application environment without the user

making massive changes. However, "it's possible to establish a relatively secure [environment] as soon as a [Sarvega] gateway is established" without making major changes, Schaeffer said.

Sarvega's Guardian Gateway, based on the company's XESOS Gauntlet architecture, protects against attacks directed against XML at the network, content and Web services levels. Guardian Accelerator speeds up the processing of XML digital signatures and Secure Sockets Layer


There is overlap between XML gateways and Web application security gateways, so distinctions between the two could fade in the future as vendors attempt to offer more comprehensive security products for Web services, Lindstrom said.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group