XML: A Growing Security Threat?

The data-swapping standard, now incorporated into Microsoft's Office 2003, may be the next big route for malicious attacks.

Is XML a security threat? A few years ago, that might have seemed a stretch to anyone using the standard as a way to encode and swap data. The emergence of Web services, however, is changing that. According to Gartner, most large firms already have or are planning some kind of Web services project within the next year.

One of the lures of Web services is the ease of exchanging data in XML format. Yet as companies have moved toward Web services, they’ve increasingly begun to tie disparate systems together to swap data in near- or real-time, and XML is the Web services lingua franca. Gartner says almost 70 percent of companies view security as a barrier to Web services deployment.

Hence an emerging threat: if malicious XML code were set to an application that automatically executed it, a company—and its Web services partners—could have problems. Microsoft’s release of Office 2003 adds another reason to be wary. One selling point of the new Office is that it includes new tools for collaboration and sharing. What enables that collaboration? XML.

Unfortunately, normal firewalls don’t analyze incoming XML code for potential malice; they pass it on through. Several XML firewall appliances are on the market today, from such companies as DataPower, Forum Systems, and Reactivity. To assess the state of XML security today as it pertains not only to Web services but also to the latest Office software, Security Strategies spoke with John Lilly, the chief technology officer of Reactivity, which just announced the latest generation of its XML firewall.

XML firewalls—this is a relatively new concept, isn’t it?

Yes, it's early days for XML firewalls. And though customers are using them, as you know, in security, people don’t like to talk about what they’re doing. But [for example we already have] a top-10 financial institution, as well as companies in the travel industry, publishing, and other industries [using our product].

Last year, Web services got just a bit hyped. Where are we now?

What we're seeing is Web services about everywhere we go—either pilots or deployments. About half of what we see is between enterprises, say between a big travel agency and an airline, that sort of thing. There’s an imperative now. The cost reductions and revenue enablement are so steep that some companies are going in without any security.

What are some examples of Web services cost savings?

Web services can enable you to connect to your partners at a deeper level than before. [So you can] get rid of lease lines, call centers, related support infrastructure; and you're enabling new revenue streams because you're able to do partnerships with companies you never dreamed of before. We have a top-five educational testing service [customer]; they’re actually seeing $20 million a year from application to application SOAP calls. Yet some are just going without security, because the cost benefits are so enormous that they just have to. The [company] is a good example; they make $20 million a year on Web services and just hadn't secured it. So the takeaway is that Web services is happening, it's the real deal. But there are some challenges.

Are there any metrics yet for gauging rollout?

The only real metrics are how fast can you connect the partners, and how cost-effective is sustaining it over time.

What are the security issues?

When you're talking about exposing Web services to partners, you're really talking about exposing applications to each other. One of our customers said that the really thrilling thing about Web services is that it's going to allow me to connect to my partners more than ever before, but the troublesome thing to me is that it's going to allow hackers to steal money from me faster than every before if there isn't sufficient security.

How does an XML firewall help?

It lets you create a policy and enforce that policy as a perimeter to your organization. Our XML firewall sits in the [network] DMZ. We sell an integrated appliance that has a hardware and software piece.

What does the hardware include?

It’s a hardware HSM—a hardware key store—as well as a hardware accelerator from nCipher, and we're working with a new company called Tarari. They speed up XML.

What are you looking for?

There’s XML denial of service detection, XML virus scanning, authentication, [and] authorization.

How is XML being used today?

When we started this project, we thought that a lot of the traffic we were going to see was small-type messages—one or two kilobyte files. In reality, we’re seeing that small stuff, but also quite large batch files. People are wrapping those up and sending them through to partners. So for example, things you use to use FTP for—all the bank transactions in a day, after-hours they batch them up into one big 100 megabyte file and send it off. It used to be FTP, now we're starting to see more people use Web services for that.

Where does the firewall sit in the network?

Usually what happens is there's a front-side firewall, often a load balancer [too], and we usually sit right in front of another firewall; typically in the data center.

What’s the alternative to using an XML firewall?

It's a little bit like thinking about your in-house development team writing your firewalls. You don't want to do that.

What’s the Office 2003 security risk?

It looks a lot like the security risk that Office had before. You've got embedded viruses and macros that can spread through documents. The good news is that because Microsoft moved to a mostly open standard for XML documents, you can be a bit more proactive about pulling those documents apart and seeing if there's anything malicious or not. Also Microsoft’s use of XML for sharing, collaboration, and updates will create more accidental XML traffic—the organization doesn’t necessarily know it’s there until they look.

So Microsoft’s use of XML in Office will raise security issues?

Sure, it’s a constant balance between integration and cooperation and security. It's not new—just a new paradigm bringing up the same issues.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.