According to Peter Lindstrom, an analyst at Hurwitz Group, the power of XML comes from its flexibility and extensibility paired with its semantics and structure. But these same elements, he contends, also cook up new security issues. In a white paper entitled "Introduction to XML Security" (June 2001), Lindstrom cites four recipes for XML disaster. Here are those risks and ways to defend against hostile XML executables:
Dangers |
Defenses |
Data sharing The "cookbook" approach to data sharing—one that involves many ways to share data—makes it difficult to validate the source of every piece of information and the accuracy of the information itself. Data linking Presenting data in the form of links via Web addresses overextends security mechanisms. Transport Firewalls won't stop XML, regardless of the application that's using it. Structure Even though XML instances can look exactly alike, they can be different under the covers. Placement of tags, use of white spaces and other style tweaks can introduce new ambiguities to the data sets. |
Don't trust inbound data.
Set up a local store of Document Type Declarations (DTD) either at or near the firewall and keep it updated like you would virus signatures. DTDs are XML syntax-based data describers that will likely be linked to you from other sources. If these DTDs were altered outside your network, a local DTD store would notice a conflict and stop the process, says Dan Moniz, a research scientist at OpenCola Ltd. in Toronto. |
Security Risk and Reward
Stories in this report:
- Want to Save Some Money? Automate Password Resets
- Knowldge Quest
- Companies Need Security Pros With More Varied Skills
- Finding Answers
- The Enemy Within
- The Threat of XML
- SOAP, Other Protocols Specify Security for XML
- The Problem With Power
- Top 10 Security Mistakes
- Playing By Europe's Rules
- False Alarm?
- An Ounce of Intrusion Prevention
- Deadly Pursuit
- IDS Products and Prices
- Should You Outsource IDS?
- Who He Is
- Manager Offers Primer On Computer Forensics
- Unlocking Secure Online Commerce
- Too Late For Digital Certificates?
- Giving Users Back Their Privacy
- Feeling Safe With IT Security Deals
- Finjan's Software Bolcks Active Content Threat
- Security Statistics
- The Guardian
- Congress Considers Slew of Bills That Will Affect IT, E-Commerce
- U.S. Legislators Ponder Masses of Bills; Outlook Remains Murky
- Rule Changes May Further Protect Company Security Data
- Getting Started in Computer Forensics
- PKI Carries the Mail for U.S. Postal Service
- Security by Syntax