SOA Drives Need for XML Security

XML security is where it’s at for adopters of service-oriented architectures

Deliberate attacks on Web services is one obvious risk enterprises take when building such applications, and sloppy data can wreak just as much havoc. One expert says XML security is where it’s at for adopters of service-oriented architectures (SOA).

“There’s always a risk that your investment in Web services could be brought down by poor programming," says Dimitri Sirota, vice president of marketing and alliance, Layer 7 Technologies.

Sirota says that while developers do their best to build code that limits the number of exploits within an application, security ultimately lies in the hands of IT managers and the solutions or products they invest in.

“A lot of programmers don’t have a deep [firsthand] knowledge of security," Sirota notes. “As much as possible, our customers don’t want programmers implementing these standards or processes."

Sirota co-founded Layer 7 (, emphasizing products and services that focus on secure business integration for XML and Web services—a focus that continues to become more relevant as enterprises embark on SOA-based projects. The biggest challenge enterprises face today, he says, is the challenge of expanding existing identity-based security solutions to SOA.

Sirota cites other security challenges for SOA as well–access control (identifying Web services calls, defining code), message-level security (meaning as XML data flows through multiple sources, enterprises need to encrypt the appropriate parts of the messages), and service mediation (or routing).

Earlier this month Layer 7 released version 3.5 of its XML firewall, which automates policy replication and manages through multi-gateway monitoring. The firewall—built for the company’s SecureSpan XML Gateway—also enables cluster deployments. SecureSpan is a security and networking appliance designed specifically for SOA and Web services, meshing firewall technology with XML VPN technology.

Before exposing a Web service outside the enterprise, Layer 7 cautions security architects and IT managers to closely consider the following questions: How do you identify differing security policies from a calling application’s identity? How do you prevent physical addresses from being displayed to users outside the enterprise? How do you adapt to changes in data formats and protocols? How do you prevent replay attacks? How do you protect app interface access from developers with ulterior motives?

Sirota says the solutions are out there, and while he recognizes that some start-ups are slow to maximize revenue from legacy apps, there are many products today that leverage and integrate existing legacy security technologies.

Thanks to legacy mainframe reliance, financial services and banks have been at the forefront of SOA adoption, but other industries are jumping on the bandwagon. Sirota says government, health care, and oil and gas companies are beginning to deploy these technologies. As they do, the SOA security market gradually grows.

“It’s no longer a case of early adopters; it’s more main stream now," Sirota says, “but adoption is going slowly."

About the Author

Jason Turcotte is an assistant editor at Application Development Trends, online at