In the article "The importance of threat protection for restful web
services", I presented a number of content-based threats for XML. When
protecting an endpoint from XML based attacks, not only are payloads scanned
for code injections, malicious entity declarations and parser attacks, XML
documents are actually validated against strict schemas that clearly describe
expected document structures. Enforcing this type of compliance at the edge,
in a SOA gateway for example, minimizes the risk of attacks of the Web
service endpoint. Structure definition languages such as XML Schema
Definition (XSD), schematron, XPath are all helpful tools in describing the
type of data and structure of XML documents that are expected at runtime.
alternative to XML and already established as the preferred content-typ... (more)
It has been fascinating to witness how the use for SOA gateways evolved over
time. In 2010, we saw an explosion of market demand for our gateway appliance
product. Here are my thoughts for what I expect to see this year and beyond.
Recent use cases for these types of devices largely focused on B2B
interactions and internal enterprise integration. Many enterprise architects
realized the benefits of using the lightweight ESB-in-a-box deployment model
and gateway-based integration. I don’t think we’ve hit the peak of this
type of use case. I expect the demand for quickly deployed int... (more)
In terms of OAuth enterprise tooling, a lot of focus is given to
OAuth-enabling APIs exposed by the enterprise itself. Naturally, the demand
for this reflects today’s reality where the enterprise is increasingly
playing the role of an api provider. However, many enterprise integration use
cases involving cloud-based services puts the enterprise in the role of API
consumer, rather than provider. And as the number of enterprise applications
consuming these external APIs grows, and the number of such external APIs
themselves grows, point-to-point OAuth handshakes become problematic.... (more)
The adoption of cloud by organizations looking for more efficient ways to
deploy their own IT assets or as a means to offset the burden of data
management drives the need for identity federation in the enterprise.
Compounding this is the mobile effect from which there is no turning back.
Data must be available any time, from anywhere and the identities accessing
it must be asserted on mobile devices, in cloud zones, always under the
stewardship of the enterprise.
APIs serve federation by enabling lightweight delegated authentication
schemes based on OAuth handshakes using the sa... (more)
As the enterprise is increasingly taking notice of WOA (Web Oriented
Architecture) these days, the need for security guidelines and standards for
RESTful Web services is becoming more pressing. Sure, RESTful Web services
are meant to borrow existing security mechanisms from the web and HTTP Basic
over SSL, when done right, is a great way to accomplish shared-secret based
authentication. Yet, for better or for worse, it is common to find REST API
providers defining their own authentication mechanisms.
Take for example the Amazon S3 REST API’s custom HTTP authentication
scheme. Us... (more)