XML Web Service Security: Not All XML Is Created Equal
There is a lot of hype right now about security in the cloud, and problems with increase hacker activity centered on XML and the Web. Unfortunately, people who talk about these issues are using these terms in a general way and not addressing the fact that Web services and XML – and cloud computing for that matter – take different forms. And those different forms have different risk levels and different security strategies.
We want to assure our clients that CDYNE’s XML Web Services are not at risk for the issues brought up in the media recently. The security risks with XML revolve around open source technology and the use of this free code by businesses. At CDYNE, we do not allow access to our code. No one is able to see exactly how we provide our services. We offer free trial license keys, and grant code lines for developers to program into their systems, but this only allows developers access to the service itself. We do not offer open access to the code that we use to provide the service.
The authors of these articles and blog posts about the dangers of XML are using blanket terminology for all forms of XML, talking about the many forms it takes in almost everything we do related to computers and the Web. But we have to take each situation as a separate one, and clarify when XML technologies use these potentially tainted open source libraries, and when they do not. Many Web services vendors are as vigilant as we are about their code, and would never grant use of it to anyone nor borrow code from an open source library to provide it to their customers.
• Open source technology offered to anyone over the Web
• Can have malicious code buried within legitimate code
• No encryption and no security due to nature of open source
• Non-open source technology, only service offered – not source code
• Secure code never made visible outside the organization
• Purchased restricted license keys
• 128-bit SSL encryption
• Microsoft.NET programming language
• Built in security traps
As an added security measure, CDYNE never hosts all related data in the same place. Our Postal Address Verification Web Service, for instance, does not have associated names with it. Also, only one address is visible in the data stream at a time, so hackers couldn’t steal your lists even if they could get past security.