Know the dangers of XML

The growing popularity of XML-based software means security risks are increasing, writes Mark O'Neill

The growing popularity of XML-based software means security risks are increasing, writes Mark O'Neill

Back in January, Bill Gates finally conceded that his vision for a Web-based services platform would never take off while security issues remained. His leaked memo to staff acknowledged that transaction functionality had taken precedence over security and stated, "So now, when we face a choice between adding features and resolving security issues, we need to choose security."

Although commercial software developers show a growing awareness of security issues, many users have yet to get the message. In the rush to adopt XML for transmitting structured data across the Web, their attention has focused on functionality, with little regard to the security of the transactions. Yet, at a time when defacement of Web sites, denial of service attacks and malicious tampering with online databases are growing threats, the integrity of XML data is increasingly important.

The underlying philosophy of XML is to simplify integration of disparate platforms on an open systems basis, which is marvellous for simplicity and usability. Unfortunately, the same levels of thoroughness and imagination have not been applied to XML's security standards, which have not been optimised to the same degree.

The particular vulnerability of XML lies in the fact that development priorities have been focused on demonstrating proof-of-concept and ensuring that the basic features work correctly. All the while, security came second, but we cannot let it remain an optional extra.

XML-specific security is obscured by the complex way that data enters and leaves computers on Internet connections. Different ports are used for individual networked applications, such as e-mail, and this enables firewalls to recognise and filter network traffic. However, it is now standard practice to send XML data over the ports allotted for Web traffic, effectively disguising the XML as normal Web browsing traffic.

While it is an appealing prospect to bypass firewall restrictions in this way, it does mean that security is required at a higher level than the network access layer.

At the moment, many XML users are unaware of these problems and rely on their systems integrators to handle these issues. However, if they are not addressed, companies will be extremely vulnerable.

By its nature, XML integration sits on top of the Web technology that is the target of so many malicious attacks. Any company exposed in this way runs the danger of revealing vital confidential data to outsiders and being in breach of the Data Protection Act because competitors could steal customer and supplier details.
The risk of commercially motivated hacking may well be over-exaggerated but there is still the possibility of revenge attacks from disaffected ex-employees. More important, a worldwide army of computer crackers derive perverse satisfaction from running port scanners and looking for vulnerabilities.

For the victim company, the minimum penalty - quite apart from any financial losses - is a severe erosion of trust and reputation. Organisations that invite others to do business with them electronically are expected to exercise due diligence to ensure that the mechanisms they provide are fit for the purpose and, if proven incompetent, they will be shunned in future.

There are wider implications, too. Remaining doubts over online security inhibit the overall potential for expanding electronic commerce. While online trading has exceeded the most favourable estimates, it remains hampered by a lack of confidence in the privacy and security of transactions performed over the Internet.
It is ironic that the attractions of XML are tempered by security holes, making the tool a double-edged sword. XML simplifies the design of integrated systems significantly but, unfortunately, it also simplifies access for unauthorised users.

Measures are now being taken to address these issues and one of them, a digital signature system for XML, provides a means of certifying transactions and establishing an audit trail. This is particularly important for companies active in the business-to-business (B2B) arena. Although a small proportion of counterfeit transactions may be acceptable in business-to-consumer dealings, in the world of B2B commerce it is not.

There is still a perception that security for XML-based systems is too complex to install and, if wrongly implemented, may impede business. This is false; perfectly practical solutions exist and ignoring them directly prejudices the successful conduct of any company that deploys XML.

The message is crystal clear: information security is not an optional extra and each and every person involved with XML bears responsibility for maintaining that security.

Ignorance is no longer a valid excuse

Mark O'Neill
is chief technology officer and joint founder of Web transaction security and integration specialist Vordel. He will be addressing the XML and Web Services 2002 Conference at the Queen Elizabeth Conference Centre, London on 11-13 Marcht

Read more on IT risk management