XML Security Problem Could Affect SOA, Integration


I covered security when it was just a blip on the corporate IT radar. I remember writing articles explaining why companies had to start thinking about security as a business issue that should concern every level of IT, from the router to the coder.


I was reminded of that lesson this week by news that many open source XML libraries have vulnerabilities that could put you at risk of denial-of-service attacksand malicious attacks on affected systems.


Codenomicon discovered the flaws, which affect XML libraries from Sun, Apache Software Foundation, Python Software Foundation and the GNOME Project. Basically, Codenomicon's CTO Ari Takanen says it affects almost every open source library available. "The number of applications can be enormous," Takanen told The Register. "Basically, any application or piece of software that's using XML libraries is vulnerable."


Brian Krebs, who writes a security column for The Washington Post, offered a good roundup of just how pervasive XML is today, noting it's used in a variety of document formats, including docx, openoffice, playlists, configuration files and RSS feeds.


So don't think this is just someone else's problem and wait for a patch from your software company. This is seriously bad new and should serve as a reality check for IT departments. Gartner analyst Neil MacDonald says hackers are moving up the stack to the application level. MacDonald, Codenomicon and others warned that XML-related attacks will become a new area of exploration for attackers.


And that's going to require a new level of vigilance for developers and architects, particularly those dealing with Web services, SOA and data integration, all of which widely use XML.


As Erka Koivunen, Head of the Finnish branch of CERT, warned:


"XML implementations are ubiquitous - they are found in systems and services where one would not expect to find them. ... This announcement is just the beginning of a long remediation process that ends only when the patches have been deployed to production systems."


Joe McKendrick, ZDNet's SOA blogger, writes that "Since XML is the foundation of all things SOA," this form of attack should be closely monitored by those involved with SOA efforts. SOA, like anything else, has its security pros and cons, McKendrick notes:


"SOA opens up many vulnerabilities, since code is being shared across organizational boundaries. At the same time, SOA provides for enterprise security services that can help remedy the spotty and uneven approaches seen across many environments."


Developers often move on without recording that detail, which makes it hard to identify which applications are affected by a vulnerability, according to MacDonald. Now might be a good time to start keeping track of the open source, third-party libraries you're using or have used.


It's also a good time to remind developers to monitor security bulletins. You've probably always done this for OS and software-related flaws, but now you'll need to monitor for flaws that might affect your in-house code. Takanen told the Washington Post that "nobody really cares until the first exploits emerge." Don't be the one to prove him right.