Software // Enterprise Applications
News
10/27/2003
06:57 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Westbridge Offers Web Services Security

It's positioning its upgraded XML Message Server as a safeguard for users of Microsoft Office 2003.

Westbridge Technology has upgraded its XML Message Server to provide security policy enforcements for Web services and is positioning the upgrade as a safeguard for users of the newly released Microsoft Office 2003 suite.

Office 2003's Excel spreadsheet program now can be translated into XML and incorporated intoWeb services, which could leave an organization exposed to new threats, says Kerry Champion, president and founder of Westbridge. "Microsoft and security are typically not complimentary words," says Champion.

Forrester Research analyst Ted Schadler wrote in a recent brief that Office 2003 provides limited support for XML, and said tools are needed to validate XML schemas and enforce security policies and standards, such as Security Assertion Markup Language [SAML] and WS-Security, for Office-generated files and documents that are exchanged on the Web. SAML and WS-Security are standards for establishing credentials for consumers and Web service users

As developers start to use Office 2003's XMS Plug-in for Excel spreadsheets, they will find there is no means of supporting authentication, encryption, and use of digital signatures for getting a secure, back-end system to accept an inquiry or message, says Andrew Yang, senior director of marketing at Westbridge.

The Westbridge XML Message Server can parse an XML message, inspect the contents, check the validity of the schema and otherwise check for tampering. Since XML provides an English-like instruction and tagging system, a hacker getting access to the message could change the contents or insert an unintended inquiry, Yang notes.

"One of the problems with Office 2003 is that a lot of people (who start using its XML features) don't understand the complexity," says Jason Bloomberg, an analyst at research firm Zap Think. A hacker gaining access to a message can insert executable code, and an XML parser will run it as it processes the message. Less likely than tampering, however, is the employee who tries to find out something he or she isn't authorized to know, Bloomberg says. XML Message Server will enforce user identification system policies on such a user, he says.

XML documents could also serve as involuntary hosts for buffer overflow attacks, where a server is intentionally crashed through errors in a message and then starts to execute a hacker's code as it reboots itself, says Yang.

The XML Message Server can construct a view of a Web service that decides what rules and policies should be applied to the user involved. The message server may also generate XML schemas and impose the schemas for certain purposes, ensuring that the data in the message is consistent with the message format.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.