Industrial IoT Authors: Pat Romanski, William Schmarzo, Elizabeth White, Stackify Blog, Yeshim Deniz

Related Topics: Industrial IoT, Microservices Expo, Cloud Security

Industrial IoT: Article

XML Security Trust and Threat Models for Dummies

Quick guide to understanding XML security models

It is very rare today to find a business application that has not exposed its interface via SOAP/XML. XML is the building block that enables business or consumer applications to exchange data in a standard structured format.  The exchange of XML data typically takes place through an SOAP/XML interface based on the Web Services standard or through the REST-based standard.  These flexible standards that richly describe interface functions of an application also introduce a host of XML and Web Services security vulnerabilities.  This article is a quick guide to most common XML and Web Services security vulnerabilities and the two basic security models they follow.

XML and Web Services Security can be categorized into Trust and Threat Models.  The Threat Model helps identify both inbound and outbound threats and provides means of re-mediating such threats.  Trust Models ensure that message privacy and integrity are retained while ensuring appropriate authentication and authorization decisions are made before letting messages traverse a corporate network.

Threats: Three major threats are Denial-of-service attacks (DoS), Viruses, and SQL injections:

  • DoS attacks prevent a user, or an organization, from accessing services or resources that they would normally be able to access.  Although this type of attack can cost time and money, usually there is no information loss involved. In the XML world a malformed XML document can cause a DoS attack.  For example, a malformed XML payload can come in the form of a deeply nested XML document that causes the back end application parser to go into a tail spin.
  • A virus is a program, or a programming code, that replicates itself. Viruses are often found in email attachments, and downloaded files. They may erase data or damage the hard drive.  When a virus duplicates itself by resending itself as an attachment to an email or as a component of a network message, it is called a worm. There are three classes of viruses: file infections, system or boot-record infections, and macro viruses.  Viruses can use Web Services to enter corporate domains by going undetected through SOAP with attachments (MIME or MTOM).  Since such attachments are Base-64 encoded or maybe encrypted, traditional Anti-virus engines cannot match signatures to detect them.
  • SQL injections are used to gain access to a database or retrieve information from a database.  This access is unauthorized and programs and applications are at risk of being attacked.  It is easy to defend programs and applications from SQL injections by using simple coding practices or by looking for malicious string patterns used for SQL injections. SQL injection attack in the XML world comes in the form of an inbound XML payload containing SQL injection commands.  If not detected correctly, these commands can reach the back end database and cause information to be stolen.

Trust: Three major categories of trust are privacy, integrity, and identity:

  • When it comes to privacy, encryption protects personal information by encoding information.  This has to be done so that only the person or computer, with the private key can decode the information.
  • Integrity insures that no one tampers with information.  Signatures and verification are both part of integrity. Signatures are strings of letters and numbers that represent a signature.  The message is scrambled with mathematical formulas or algorithms.  A key is needed to validate the signature.  Verification simply validates a users indeed signed a message with his private key.
  • Identity involves authentication, authorization, access control and tokens.  Authentication verifies that information comes from a trusted source.  One must know who created the information, as well as be sure that the information has not been modified since created.  Authentication works closely with encryption to ensure that there is a secure environment.  Authorization is simply controlling the access and rights to resources, including things such as services or files.  Access control restricts what a user can do various resources.  There are many types of tokens including SSL tokens, SAML tokens, and WS-Username tokens.  Properly handing such Tokens both at the protocol and message level is crucial for establishing trust between business entities.

The threat and privacy/integrity/identity issues addressed in both of these models mitigate the most common XML vulnerabilities.  Thus, both Threat and Trust models should form the fabric of an enterprise's XML Security design.  From an actual implementation perspective,  an XML Gateway whose core engine is based on both models mitigate these common XML vulnerabilities thus ensuring robust exchange of XML data between enterprises.

More Stories By Rizwan Mallal

Rizwan Mallal serves as the Vice President of Operations at Crosscheck Networks, Inc. As a founding member and Chief Security Architect of Forum Systems, the wholly owned subsidiary of Crosscheck Networks, Rizwan was responsible for all security related aspects of Forum's technology.

Previously, Rizwan was the Chief Architect at Phobos where he was responsible for developing the industry's first embedded SSL offloader. This product triggered Phobos's acquisition by Sonicwall (NASD: SNWL). Before joining Phobos, he was member of the core engineering group at Raptor Systems which pioneered the Firewall/VPN space. Raptor after its successful IPO was later acquired by Axent/Symantec (NASD:SYMC).

Rizwan started his career at Cambridge Technology Partners (acquired by Novell) where he was the technical lead in the client/server group.

Rizwan holds two patents in the area of XML Security. Rizwan has a BSc. in Computer Science from Albright College and MSc. in Computer Science from University of Vermont.

IoT & Smart Cities Stories
While the focus and objectives of IoT initiatives are many and diverse, they all share a few common attributes, and one of those is the network. Commonly, that network includes the Internet, over which there isn't any real control for performance and availability. Or is there? The current state of the art for Big Data analytics, as applied to network telemetry, offers new opportunities for improving and assuring operational integrity. In his session at @ThingsExpo, Jim Frey, Vice President of S...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settl...
@CloudEXPO and @ExpoDX, two of the most influential technology events in the world, have hosted hundreds of sponsors and exhibitors since our launch 10 years ago. @CloudEXPO and @ExpoDX New York and Silicon Valley provide a full year of face-to-face marketing opportunities for your company. Each sponsorship and exhibit package comes with pre and post-show marketing programs. By sponsoring and exhibiting in New York and Silicon Valley, you reach a full complement of decision makers and buyers in ...
Two weeks ago (November 3-5), I attended the Cloud Expo Silicon Valley as a speaker, where I presented on the security and privacy due diligence requirements for cloud solutions. Cloud security is a topical issue for every CIO, CISO, and technology buyer. Decision-makers are always looking for insights on how to mitigate the security risks of implementing and using cloud solutions. Based on the presentation topics covered at the conference, as well as the general discussions heard between sessio...
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound e...
The Jevons Paradox suggests that when technological advances increase efficiency of a resource, it results in an overall increase in consumption. Writing on the increased use of coal as a result of technological improvements, 19th-century economist William Stanley Jevons found that these improvements led to the development of new ways to utilize coal. In his session at 19th Cloud Expo, Mark Thiele, Chief Strategy Officer for Apcera, compared the Jevons Paradox to modern-day enterprise IT, examin...
Rodrigo Coutinho is part of OutSystems' founders' team and currently the Head of Product Design. He provides a cross-functional role where he supports Product Management in defining the positioning and direction of the Agile Platform, while at the same time promoting model-based development and new techniques to deliver applications in the cloud.
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
LogRocket helps product teams develop better experiences for users by recording videos of user sessions with logs and network data. It identifies UX problems and reveals the root cause of every bug. LogRocket presents impactful errors on a website, and how to reproduce it. With LogRocket, users can replay problems.
Data Theorem is a leading provider of modern application security. Its core mission is to analyze and secure any modern application anytime, anywhere. The Data Theorem Analyzer Engine continuously scans APIs and mobile applications in search of security flaws and data privacy gaps. Data Theorem products help organizations build safer applications that maximize data security and brand protection. The company has detected more than 300 million application eavesdropping incidents and currently secu...