XML Security Upgrades, Research Available
Many developers say XML and security mix as well as oil and water. Get help and more code from XMLSecLib and others.
The XML Security Library is a C library based on LibXML2 and OpenSSL. The library was created with a goal to support major W3C XML security standards, including XML Signature
; XML Encryption
; and Exclusive XML Canonicalization
-- issued July 18 by W3C, which provides for methods to use XML sub-documents that can support B2B digital signatures, etc. (the section formerly included in libxml2).
The mission of the XMLSecLib working group is to develop an XML compliant syntax used for representing the signature of web resources and portions of protocol messages (anything referencable by a URI) and procedures for computing and verifying such signatures. This is a joint Working Group of the IETF and W3C. W3C is hosting the email list and WG site publicly in accordance with IETF procedure. XML Security Library is released under the MIT License. Other XML Security ResourcesW3C continues to take comments on the XKMS (XML Key Management Specification) which specifies protocols for distributing and registering public keys, suitable for use in conjunction with the proposed standard for XML Signatures [XML-SIG] developed by the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF) and an anticipated companion standard for XML encryption.
An important key to understanding XML security is first knowing "web server" security basics -- protocols, SSL, etc. Kevin Boone provides a neat basic tour of web server security. His key advice to developers: Keep it simple and straightforward. Boone notes, "It is very important to understand that a secure web server uses encryption for communication of data between the web server and a browser and nothing else."
The Open Web Application Security Project (OWASP) has updated its Guide to Building Secure Web Applications and Web Services. This document sets out to describe technical components, people processes and management issues that are needed to design, build and maintain a secure web application. It includes requirements for architects and designers building common things like password reset systems, session management mechanisms and input filtering, as well as architectural guidance.
Much of OWASP's work is driven by discussions on the Web Application Security list at SecurityFocus.com. All software and documentation is released under the GNU public licenses.
You or your firm may already be using a component-based development practices and application servers for business logic. If so, then you already have a "service-oriented architecture" in place. This article, The Benefits of a Service-Oriented Architecture by independent consultant Michael Stevens, shows how you can further leverage your SOA to improve security of your web services/integration projects.
Preston Gralla, author of "How the Internet Works," shares his view on what developers need to know about web services security in this column. Notably, Gralla includes his "Short List" for XML standards and initiatives you should keep an eye on.
A straightforward compilation of XML security links is available at the Westbridge Technology website's "Resources" page. It's one of the best and easiest to navigate that IDN has seen. Westbridge, based in Mountain View, CA, provides XML web services-based architectures.
A report on .NET Framework's security is available from Core Security Technologies and Foundstone Inc. The analysis highlights granular security control over applications and resources and .NET's toolset for authentication, authorization and cryptographic routines.