Securing XML

Security products to protect Web services are hitting the market as managers at corporations and agencies realize that Extensible Markup Language (XML), the standard file format for sharing information in Web services, is susceptible to attacks and viruses.

Although Web services offer agencies a flexible, plug-and-play architecture in which networked components work collectively, communications among those components open new security risks not covered by existing security safeguards. For instance, Web services can be hit by attacks that overwhelm the system's processing capabilities, or attackers can install malicious code in XML-based documents.

Like their corporate counterparts, agency managers adopted Web services before realizing the tools required a new level of security, said Barry Schaeffer, president of X.Systems Inc., a consulting firm and systems integrator that serves the public sector.

Many managers attempting "to translate content into XML tend to be functional managers [rather than security managers], so they don't think of security" first,

Schaeffer said. But that is changing as they become more aware of the risks associated with Web services, he added.

Consultants and officials at companies devoted to Web services security are raising managers' level of awareness. During the past few months, two companies have launched security products specifically designed to secure XML and Web services while another has enhanced an existing product focused on application security.

Several products built to secure XML that recently made their debut include Sarvega Inc.'s Guardian Gateway and Guardian Accelerator and Forum Systems Inc.'s XWall firewall for Web services .

Meanwhile, Teros Inc. introduced a new version of its application gateway last month that protects XML and HTML or Web applications.

Other companies targeting XML security include DataPower Technology Inc., which provides an XML accelerator and security gateway, and Reactivity Inc., which offers an XML firewall.

Competition in this arena is heating up, said Pete Lindstrom, research director at Spire Security LLC, a consulting firm based in Malvern, Pa.

Companies that specifically focus on XML, such as Sarvega, Forum Systems, DataPower and Reactivity, offer tools for evaluation and interrogation of data in addition to encryption, Lindstrom said.

Products from these companies can drill deeper into XML content than Teros' gateway. Teros' product, however, already protects Web application environments, so users of Web services who need both HTML and XML might opt for the Teros gateway, he added.

Teros' aim is to eliminate the need to deploy and manage a separate security infrastructure to protect Web services applications, said Greg Smith, the company's senior director of product marketing.

The Teros Secure Application Gateway has an adaptive learning engine that recognizes the XML messages and data types received by applications with Web Services Description Language interfaces.

After analyzing correct behavior, Teros Gateway recommends constraints on application inputs. For example, if a Web services port is only supposed to receive account numbers and some other type of a script is sent to the port, the submission can be blocked. This approach can prevent attackers from inserting malicious code that could compromise a Web service.

Teros officials designed Gateway to protect against buffer overflows, denial-of-service attacks and SQL injections in which an attacker manipulates SQL commands through a front-end browser to execute malicious actions on a back-end Microsoft Corp. SQL database.

The best place to establish XML security is at the gateway, said Schaeffer, whose company will use Sarvega's tool to help secure its government clients' Web services. "At this point, I haven't seen anything on the marketplace as targeted [on XML] as Sarvega," he said. XML security gateways can be placed behind the corporate firewall to perform deep inspection of XML traffic flowing into and out of an organization.

It's difficult to establish a secure application environment without the user

making massive changes. However, "it's possible to establish a relatively secure [environment] as soon as a [Sarvega] gateway is established" without making major changes, Schaeffer said.

Sarvega's Guardian Gateway, based on the company's XESOS Gauntlet architecture, protects against attacks directed against XML at the network, content and Web services levels. Guardian Accelerator speeds up the processing of XML digital signatures and Secure Sockets Layer


There is overlap between XML gateways and Web application security gateways, so distinctions between the two could fade in the future as vendors attempt to offer more comprehensive security products for Web services, Lindstrom said.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group