Week 12: Article Summaries, In The News, and Question for Class…

Burns, S. (2001). “Web Services Security – An Overview”. SANS Institute, InfoSec Reading Room.  Web services are software functions provided at a network address that enable machine to machine communication over the web.  Each web service has an interface described in a machine readable format (i.e. WSDL and UDDI), and is interacted with using Simple Object Access Protocol messages communicated over TCP/IP networks via HTTP/HTTPS using XML translation.  Unprotected web services are vulnerable to the following attacks and problems: Reconnaissance, Denial of Service, Integrity Attacks, Firewall Bypassing, Unintended software interactions, and platform immaturity.  Burns recommends the following counter measures to protect web services,: Enforce Trust Relationships, Encrypt Transport Links, Engineer Secure Components, Perform Regular Tests on Components, Reconcile WSDL Specs with Actual Operation, Use HTTP Proxy Filters, and Configuration Management.  At the time of publication, the following emerging technology solutions included: Security Assertion Markup Language, eXtensible Access Control Markup Language, XML Signature, XML Key Management Specifications, Kerberos, and Lightweight Directory Access Protocol.

Kwabi, C. (2003). “XML Web Services Security and Web based Application Security”. SANS Institute, InfoSec Reading Room. “XML Web Services are severely hampered by the inherent lack of support for security.” This paper provide a glimpse into efforts to “create a standardized security framework” for “…interoperability and end-to-end security amongst heterogeneous systems involved in XML Web Service communications sessions”.

InTheNews: Fox-Brewser, T. “Want Some Nuclear Power Plant ‘Zero-Day’ Vulnerabilities? Yours For Just $8,000”, Forbes/Security.  Interesting article on the availability of tools that contain SCADA system exploits, and are updated and maintained with zero-day exploits:  http://www.forbes.com/sites/thomasbrewster/2015/10/21/scada-zero-day-exploit-sales/

Question for Class: JSON seems to have two advantages over XML: 1) Speed and ease in parsing data, and 2) Simple data retrieval from Javascript, however the use of the eval() function to parse JSON into JavaScript objects makes it vulnerable to executing arbitrary JavaScript code in production applications. Data access with XML tags does not require code execution to extract data.  With that said, which is more secure XML or JSON?