Securing XML

Security products to protect Web services are hitting the market as managers at corporations and agencies realize that Extensible Markup Language (XML), the standard file format for sharing information in Web services, is susceptible to attacks and viruses.

Although Web services offer agencies a flexible, plug-and-play architecture in which networked components work collectively, communications among those components open new security risks not covered by existing security safeguards. For instance, Web services can be hit by attacks that overwhelm the system's processing capabilities, or attackers can install malicious code in XML-based documents.

Like their corporate counterparts, agency managers adopted Web services before realizing the tools required a new level of security, said Barry Schaeffer, president of X.Systems Inc., a consulting firm and systems integrator that serves the public sector.

Many managers attempting "to translate content into XML tend to be functional managers [rather than security managers], so they don't think of security" first,

Schaeffer said. But that is changing as they become more aware of the risks associated with Web services, he added.

Consultants and officials at companies devoted to Web services security are raising managers' level of awareness. During the past few months, two companies have launched security products specifically designed to secure XML and Web services while another has enhanced an existing product focused on application security.

Several products built to secure XML that recently made their debut include Sarvega Inc.'s Guardian Gateway and Guardian Accelerator and Forum Systems Inc.'s XWall firewall for Web services .

Meanwhile, Teros Inc. introduced a new version of its application gateway last month that protects XML and HTML or Web applications.

Other companies targeting XML security include DataPower Technology Inc., which provides an XML accelerator and security gateway, and Reactivity Inc., which offers an XML firewall.

Competition in this arena is heating up, said Pete Lindstrom, research director at Spire Security LLC, a consulting firm based in Malvern, Pa.

Companies that specifically focus on XML, such as Sarvega, Forum Systems, DataPower and Reactivity, offer tools for evaluation and interrogation of data in addition to encryption, Lindstrom said.

Products from these companies can drill deeper into XML content than Teros' gateway. Teros' product, however, already protects Web application environments, so users of Web services who need both HTML and XML might opt for the Teros gateway, he added.

Teros' aim is to eliminate the need to deploy and manage a separate security infrastructure to protect Web services applications, said Greg Smith, the company's senior director of product marketing.

The Teros Secure Application Gateway has an adaptive learning engine that recognizes the XML messages and data types received by applications with Web Services Description Language interfaces.

After analyzing correct behavior, Teros Gateway recommends constraints on application inputs. For example, if a Web services port is only supposed to receive account numbers and some other type of a script is sent to the port, the submission can be blocked. This approach can prevent attackers from inserting malicious code that could compromise a Web service.

Teros officials designed Gateway to protect against buffer overflows, denial-of-service attacks and SQL injections in which an attacker manipulates SQL commands through a front-end browser to execute malicious actions on a back-end Microsoft Corp. SQL database.

The best place to establish XML security is at the gateway, said Schaeffer, whose company will use Sarvega's tool to help secure its government clients' Web services. "At this point, I haven't seen anything on the marketplace as targeted [on XML] as Sarvega," he said. XML security gateways can be placed behind the corporate firewall to perform deep inspection of XML traffic flowing into and out of an organization.

It's difficult to establish a secure application environment without the user

making massive changes. However, "it's possible to establish a relatively secure [environment] as soon as a [Sarvega] gateway is established" without making major changes, Schaeffer said.

Sarvega's Guardian Gateway, based on the company's XESOS Gauntlet architecture, protects against attacks directed against XML at the network, content and Web services levels. Guardian Accelerator speeds up the processing of XML digital signatures and Secure Sockets Layer


There is overlap between XML gateways and Web application security gateways, so distinctions between the two could fade in the future as vendors attempt to offer more comprehensive security products for Web services, Lindstrom said.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • FCW @ 30 GPS

    FCW @ 30

    Since 1986, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

  • Shutterstock image.

    Merged IT modernization bill punts on funding

    A House panel approved a new IT modernization bill that appears poised to pass, but key funding questions are left for appropriators.

  • General Frost

    Army wants cyber capability everywhere

    The Army's cyber director said cyber, electronic warfare and information operations must be integrated into warfighters' doctrine and training.

  • Rising Star 2013

    Meet the 2016 Rising Stars

    FCW honors 30 early-career leaders in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group