Microsoft's Simple Object Access Protocol (SOAP) has garnered a lot of attention, especially since it was submitted to the W3C as a possible standard for XML-based communication among object-oriented applications.
 |
DEFINITION |
|
But privacy and data integrity protection specifications, missing in earlier versions of SOAP, also get a lot of attention.
SOAP authors, including Microsoft and IBM, addressed that lack of information in February, submitting a new set of SOAP security specifications to the W3C.
Based on XML, SOAP is used in middleware for communication among information systems built on different technologies.
Version 1.1 of the specification, announced in April of last year, let SOAP messages, which are based on HTML, sail freely through most firewalls. That gave legitimate business partners free entry to remotely activate code and exchange information. But it also extended the same welcome mat to hackers, said James Kobielus, an analyst at Midvale, Utah-based The Burton Group Inc.
The February extension to SOAP proposes a way to use the XML digital signature syntax to sign and authenticate SOAP 1.1 messages.
It also proposes definition of an extensible name space for adding to the SOAP header further security features, such as biometric signatures and XML encryption, as standards become available.
The W3C has appointed a working group to develop an open standard protocol similar to SOAP called XML-Protocol.
Although the SOAP specification is maturing, applications that require stringent security, such as securities trading, continue to use stronger protocols, such as electronic-business XML (ebXML).
That specification is a collaborative effort of an IBM-led consortium, the Organization for the Advancement of Structured Information Standards (OASIS), and the United Nations. That group is working on standards for authorization and access control, said Robert Sutor, IBM's director of e-business standards strategy.
Emerging in the next few months will be a road map to XML security, but "it will take coordination among the W3C, OASIS and other organizations in a way we haven't seen before," Sutor said.
—Sami Lais
Security Risk and Reward
Stories in this report:
- Want to Save Some Money? Automate Password Resets
- Knowldge Quest
- Companies Need Security Pros With More Varied Skills
- Finding Answers
- The Enemy Within
- The Threat of XML
- SOAP, Other Protocols Specify Security for XML
- The Problem With Power
- Top 10 Security Mistakes
- Playing By Europe's Rules
- False Alarm?
- An Ounce of Intrusion Prevention
- Deadly Pursuit
- IDS Products and Prices
- Should You Outsource IDS?
- Who He Is
- Manager Offers Primer On Computer Forensics
- Unlocking Secure Online Commerce
- Too Late For Digital Certificates?
- Giving Users Back Their Privacy
- Feeling Safe With IT Security Deals
- Finjan's Software Bolcks Active Content Threat
- Security Statistics
- The Guardian
- Congress Considers Slew of Bills That Will Affect IT, E-Commerce
- U.S. Legislators Ponder Masses of Bills; Outlook Remains Murky
- Rule Changes May Further Protect Company Security Data
- Getting Started in Computer Forensics
- PKI Carries the Mail for U.S. Postal Service
- Security by Syntax