API Security has finally entered our security zeitgeist. OWASP Top 10 2017 -
RC1 recognized API Security as a first class citizen by adding it as number
10, or A-10 on its list of web application vulnerabilities. We believe this
is just the start. The attack surface area offered by API is orders or
magnitude larger than any other attack surface area. Consider the fact the
APIs expose cloud services, internal databases, application and even legacy
mainframes over the internet. What could go wrong?
API Security has been added to OWASP Top 10 2017 - RC1. This is a
commendable step taken by the web application security thought leaders and is
a clear indication of where the industry is heading. Security professionals
have all the tools and awareness to fence in applications, databases and
legacy systems through firewalls.
OWASP has served the security professionals well... (more)
The Cloud Security Alliance (CSA) published Version 2.1 of its Guidance for
Critical Areas of Focus in Cloud Computing with a significant and
comprehensive set of recommendations that enterprises should incorporate
within their security best practices if they are to use cloud computing in a
meaningful way.
The Guidance provides broad recommendations for operational security concerns
including application security, encryption & key management, and identity &
access management. In this article, we will consider security implications of
REST- and SOAP-based communication between consumers and specifically,
Infrastructure as a Service (IaaS) providers.
Cloud Application Security
Cloud application security requires looking at classic application security
models and extending these models out to dynamic and multi-tenant
architectures. While planning for cloud-based applic... (more)
XML Magazine on Ulitzer
These days, XML Gateways are a core infrastructure component of any
enterprise SOA deployment. XML Gateways provide the ability to integrate
services securely with granular access control, data-level encryption,
integrity through signatures and XML threat mitigation. XML Gateways can be
deployed as a hardware appliance or as a software gateway ( also as cloud
based instances). Both of these form factors have their advantages and
disadvantages. This article provides readers with a quick synopsis of the
pros and cons of each form factor.
XML Gateway Hardware Appliance:
Advantages:
Accelerated SSL and XML Security operations. Tamper proof security of PKI
keys via Hardware Security Module (HSM). Ease of installation and
manageability. High level of security assurance since a hardware appliance
runs dedicated XML Gateway security firmware. Be... (more)
In general synchronous web-services are simpler and more common than
asynchronous web services. I like them, because for 99% of cases, the
security can be done at the transport level using 2-way SSL. Asynchronous
web-services introduce additional security challenges - mainly that messages
are likely to be in memory or on disk where the transport is not there to
keep the contents of the message secure. The purpose of this post is not to
explore the security challenges of using asynchronous web-services, but
another complexity - proper handling of web-services callbacks through an
intermediary.
One of the main uses of an XML gateway is to encapsulate the end-point of the
actual service from the caller. This approach is aligned with SOA best
practices, but from a security perspective not letting people know where your
service actual lives is a really good idea. This p... (more)
It is very rare today to find a business application that has not exposed its
interface via SOAP/XML. XML is the building block that enables business or
consumer applications to exchange data in a standard structured format. The
exchange of XML data typically takes place through an SOAP/XML interface
based on the Web Services standard or through the REST-based standard.
These flexible standards that richly describe interface functions of an
application also introduce a host of XML and Web Services security
vulnerabilities. This article is a quick guide to most common XML and Web
Services security vulnerabilities and the two basic security models they
follow.
XML and Web Services Security can be categorized into Trust and Threat
Models. The Threat Model helps identify both inbound and outbound threats
and provides means of re-mediating such threats. Trust Models... (more)
If you're having trouble getting your head around a single cloud deployment,
please feel free to skip this article.
Now if you're someone who thinks that most IT resource will eventually live
in a private or public cloud-based domain, you're not alone, and you may
start looking into how best to work in a multi-cloud environment.
Paul Krill's article "Cerf urges standards for cloud computing" highlights
cloud interoperability and portability issues discussed by Vint Cerf,
co-designer of the TCP/IP protocol that forms the back bone of modern
communication.
It behooves us to consider Cerf's viewpoint on what's required for successful
cloud computing. Some of the points that he makes are as follows:
Authentication/Security
According to Cerf, "Strong authentication will be a critical element in the
securing of clouds." We know that authentication is a core for establishing... (more)
Looks like Forum Sentry, the pioneer and leader of XML Gateway and XML
Firewall technology has announced its latest product that now addresses the
growing need for handling not just XML/Web services traffic, but also
HTML/Portal traffic.
From a technology standpoint, this is not a revolutionary jump, but a gradual
evolution of the XML Gateway that now handles HTTP/HTML-header information,
which is by far easier than looking deeper into the XML packets.
However, the business implication of this is significant since companies can
now use a single platform for HTML and XML processing.
Continuing to set the benchmark for securing Web services, key new
capabilities available via Forum Sentry include:
HTML Portal Virtualization – Deployed in a “proxy” setting, Forum
Sentry removes the identity and security burden from Web sites and portals.
Leveraging Single Sign On (SSO... (more)
Looking down my blogroll earlier today, I see "A message from Jamie Lewis".
Jamie is the CEO of Burton Group, and always worth listening to, especially
at his Catalyst talks.
So, I click on the link and read that Burton has been acquired by Gartner!
Analyst consolidation continues into 2010...
Congratulations to all at Burton, especially Richard Watson who spoke at
Vordel's conference last November, Anne Thomas Manes whose views on SOA are
quite literally a matter of life and death, and Phil Schacter who has been
tracking Vordel since 2001.
... (more)
Cloud Expo on Ulitzer
Forum Systems unveiled a first-of-its-kind identity broker hardware
appliance, Forum STS.
Web services-based Service Oriented Architectures (SOA) enable communication
via ubiquitous standards such as XML and SOAP. To foster efficient, effective
message exchange and satisfy increasing user demands for real-time,
aggregated information from internal and external business partners, trust
must be established among all entities. Comprehensive mediation,
authentication, and authorization of identity exchange among customer and
partner portals, Web applications, and XML-based Web services provide the
business with a simplified, coherent model for identity management and build
the pillars of Federated SOA.
Addressing these requirements, Forum STS produces and consumes identity
tokens in varying protocol and message formats. Performing identity
tran... (more)
Forum Systems, a wholly owned subsidiary of Crosscheck Networks, Inc., today
unveiled the latest version of its flagship product, Forum Sentry. The
announcement was made in conjunction with the OWASP AppSec 2009 Conference,
the largest application security conference in the United States, taking
place this week at the Walter E. Washington Convention Center in Washington,
DC.
Processing more than one billion transactions per day worldwide, the FIPS-
and DoD-certified Forum Sentry XML Gateway offers the industry’s most
comprehensive protection against XML- and SOAP-based vulnerabilities.
Extending its data integration capabilities to self-service portals and Web
applications, Forum Sentry now provides enterprises and government agencies
with the foundation for achieving SOA federation. By fostering this deeper,
more meaningful Web experience, Forum Sentry enables gre... (more)
Crosscheck Networks, Inc., a leader in Web services testing, simulation and
security, today announced immediate availability of SOAPSonar 5.0.
This latest release empowers enterprises, for the first time, to test
functional and performance characteristics of unlimited-sized Web services
attachments via streaming of structured and unstructured data based on
industry standards such as MTOM and MIME. Notably, in this new release
SOAPSonar also offers support for WS-Trust, SAML 2.0, and WS-identity tokens
ensuring a best-practices approach to federated identity management for
strict authentication and authorization testing.
“Moving to an SOA doesn’t mean that you’ve solved the issue of how to
move large files throughout your environment,” said L. Frank Kenney,
Research Director for Gartner, Inc. “Because the complexity and size of
files and thus attachments is growing e... (more)
Subscribe to XML Gateway Email News Alerts
Subscribe via RSS
