Welcome!

Francois Lascelles

Subscribe to Francois Lascelles: eMailAlertsEmail Alerts
Get Francois Lascelles via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories by Francois Lascelles

As the enterprise is increasingly taking notice of WOA (Web Oriented Architecture) these days, the need for security guidelines and standards for RESTful Web services is becoming more pressing. Sure, RESTful Web services are meant to borrow existing security mechanisms from the web and HTTP Basic over SSL, when done right, is a great way to accomplish shared-secret based authentication. Yet, for better or for worse, it is common to find REST API providers defining their own authentication mechanisms. Take for example the Amazon S3 REST API’s custom HTTP authentication scheme. Using this mechanism, a requester signs the RESTful request using HMAC and a symmetric key associated with its Amazon account – the shared secret. This signature is attached to the request through the standard HTTP Authorization header. This achieves requester authentication as well as integri... (more)

SOA Gateway Trends for 2011 and Beyond

It has been fascinating to witness how the use for SOA gateways evolved over time. In 2010, we saw an explosion of market demand for our gateway appliance product. Here are my thoughts for what I expect to see this year and beyond. Recent use cases for these types of devices largely focused on B2B interactions and internal enterprise integration. Many enterprise architects realized the benefits of using the lightweight ESB-in-a-box deployment model and gateway-based integration. I don’t think we’ve hit the peak of this type of use case. I expect the demand for quickly deployed int... (more)

How Cloud, Mobile & APIs Change the Way We Broker Identity

The adoption of cloud by organizations looking for more efficient ways to deploy their own IT assets or as a means to offset the burden of data management drives the need for identity federation in the enterprise. Compounding this is the mobile effect from which there is no turning back. Data must be available any time, from anywhere and the identities accessing it must be asserted on mobile devices, in cloud zones, always under the stewardship of the enterprise. APIs serve federation by enabling lightweight delegated authentication schemes based on OAuth handshakes using the sa... (more)

WS Security Performance

The WS Secure Conversation specification describes a mechanism letting multiple parties establish a context (using the WS Trust Request Security Token standard) and secure subsequent SOAP exchanges. Each WS Secure Conversation session has an associated shared secret. Instead of using this shared secret directly to sign and encrypt the conversation's messages, symmetric keys are derived from the secret itself. Deriving new keys for each message and different keys for signature and encryption limits the amount of data that an attacker can analyze in attempting to compromise the con... (more)

JSON Schema Validation for RESTful Web Services

In the article "The importance of threat protection for restful web services", I presented a number of content-based threats for XML. When protecting an endpoint from XML based attacks, not only are payloads scanned for code injections, malicious entity declarations and parser attacks, XML documents are actually validated against strict schemas that clearly describe expected document structures. Enforcing this type of compliance at the edge, in a SOA gateway for example, minimizes the risk of attacks of the Web service endpoint. Structure definition languages such as XML Schema ... (more)