OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

announce message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]




XML Web Services Vulnerability Threat Model to be made available to
Network Security Managers and Web Services Architects to help secure
Service Oriented Applications (SoA)

Washington, D.C., February 18, 2005 - The Advanced XML Security
Laboratories (AXSL) announced today the availability of the XML Web
Services Vulnerability Model, the first tool designed to help network
and application security managers plan and implement XML Web Services
threat mitigation solutions. The model is the result of extensive
research done by AXSL and its partner organizations.

XML Web Services threats are fundamentally different from network based
threats. They represent a new class of risks that are directed
specifically at the application layer of the network protocol and
application stack. XML Web Services security threats can vary from
application to application. Without a clear understanding of these
differences, commonly accepted threat models and mitigation strategies
can lead to unforeseen vulnerabilities and a false sense of security of
XML Web Services applications. 

"Our research shows that most network security managers and web services
architects put XML web services intrusion prevention high on their list
of application security concerns," stated Dr. Newton Howard, founder and
chairman of CADS.  "However, a significant number of security managers
indicated that there is limited information available regarding XML
threats and their impact on Web Services applications. Security managers
welcome the idea of an XML Web Services Threat model." 

XML Web Services traffic can be modified, processed or secured in
layered form, illustrating one clear distinction from network based
threats.  The AXSL research highlights another type of XML threat,
referred to as vertical threats, which are multi-dimensional in nature
and span multiple layers of the protocol and application stack.  AXSL
research further categorizes horizontal and vertical XML threats.
Horizontal Threats include encoding threats, structural threats, grammar
validation threats, semantic representation threats, and semantic
implementation threats. Vertical Threats involve Algorithmic threats,
external entity threats, and XML web services security threats.

The research establishes that the characteristics of XML threats make
them complicated and particularly hard to address with conventional
security mechanisms and threat models. AXSL is providing the XML Web
Services Threat Prevention Model to the public as a means to improve
overall security of XML Web Services. 

A complimentary copy of the "XML Web Services Vulnerability Intrusion
Prevention Model" can be downloaded from AXSL at:

About AXSL
"AXSL" was founded by the Center for Advanced Defense Studies (CADS), a
renowned think tank focusing on global information security and defense
initiatives, and Sarvega, Inc., the leading provider of XML networking
products, to conduct advanced research into XML Web Services security,
XML vulnerabilities, and the secure exchange of information amongst
trading partners. 

About CADS

CADS is an independent non-profit, non-governmental research institution
located in Washington DC. Created in 2001, CADS focuses its expertise on
issues of technology transfer, information sharing, global defense
policy initiatives, international education, and capacity building.

About Sarvega

Sarvega, Inc. is the leading manufacturer of XML networking products,
providing enterprises with unprecedented security, performance, and ease
of operation for XML Web Services. Sarvega's underlying technology, the
XML Event Stream Operating System (XESOST, Patent Pending), combines
comprehensive XML security and XML routing functionality with wire-speed
performance, non-stop availability, and hardware platform independence.
Sarvega's XML networking products are available both as secure network
appliances and on multiple third party blade alternatives. Sarvega
introduced the industry's first wire-speed XML appliance, the first XML
content router, and the first XML grid computing solution. Sarvega's
worldwide customer base includes governments and leading companies in
Financial Services, Telecommunications, and Media and Entertainment.
Sarvega is the recipient of numerous technology awards for innovation,
including Computerworld's Innovative Technology Award and CMP Media's
COMET Award. For details, visit www.sarvega.com, send email to
info@sarvega.com, or call 630- 627-3131.

					    # # #

Press Contact:

	Peter Borbely
        (919) 345-5079

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]