RealTime IT News

XML Security Comes to the Fore at RSA

Computer security comes in many forms. But one of the newest frontiers is safeguarding and improving the performance of XML, as independent companies like Forum Systems, Sarvega, Reactivity and DataPower can attest.

Those vendors made a slew of announcements this week at the RSA Conference 2005, where shoring up the network against unwanted intruders, viruses and worms was the key focus.

Improving XML performance and security is of paramount importance for these vendors, because XML is the most common markup language used to write Web services , the next generation of distributed computing.

Estimated by research firms such as IDC, Gartner and ZapThink to be a multi-billion-dollar market over the next five years, Web services allow applications to communicate with each other across different networks, all over the world, to conduct transactions. Cisco is expected to enter the market soon.

Unfortunately, Web services are vulnerable to accidental and malicious exploits, because they have straight-through processing. One little exploit can lead to system delays and stolen data. In fact, Web services are the most commonly exploited vulnerability in Microsoft Windows systems, according to the SANS Institute Top-20 2004 list.

For those reasons and more, Forum has created XRay, a product that aims to close the loop between security enforcement and software policies.

For $500 a seat, XRay reproduces undesired usage patterns or malicious activities to zero in on system weaknesses throughout the service-oriented architecture (SOA) , the framework from which most Web services will operate in an IT environment.

XRay works in conjunction with VulCon, which Forum described in a statement as a threat intelligence service for XML Web services vulnerabilities. Provided for free, VulCon alerts users to malicious cyber attacks and software vulnerabilities.

XML security vendor Sarvega meanwhile introduced its Command Center, a drag-and-drop policy software platform that can configure, deploy and manage Sarvega XML Guardian Gateway appliances individually, or as a cluster.

Command Center provides administrators the ability to provision a Web service based on its WSDL and allows administrators to write a default security policy for Web services. The software is available on Windows 2000, Windows NT and Windows XP, with future availability on RedHat Linux 9.0.

XML Guardian Gateway software has also been refreshed. Version 5.0 now enables verification or encryption of XML signatures at over 1,700 transactions per second and support validation throughput at up to Gigabit levels.

Coercive parsing, password guessing threats, SQL code injection, dirty word filtering, external entity protection and XML security vulnerabilities were also addressed in 5.0.

In related news, DataPower landed $10 million in a new funding round, led by Atlas Venture. Also, DataPower's XS40 XML Security Gateway has passed muster with the World Wide Web Consortium's XML Key Management Specification (XKMS) interoperability testing. XKMS is designed to simplify the integration of public key infrastructure and digital certificates.

Meanwhile, Reactivity Monday unveiled the Reactivity Federated Identity Model for Web services, a reference architecture based on the Liberty Alliance trust model that offers a way to preserve and use layered identity with XML Web services.