XML and Security


This is the first in a series of articles exploring the security aspects of XML technologies.


Intended Audience

Anyone with an interest in security and XML, but mostly architects and developers working with XML technologies.


Security 101

Let's start off with defining our terms.


Security is about maintaining the confidentiality, integrity, and availability of data and the systems that process them. Collectively, these are known as the CIA-triad.


Confidentiality refers to efforts made to prevent unauthorized disclosure of information to those who do not have the need, or right, to see it. Without confidentiality there can be no privacy, which is the ability to selectively reveal information about oneself.


Integrity refers to efforts made to prevent unauthorized or improper modification of systems and information. It also refers to the amount of trust that can be placed in a system and the accuracy of information within that system.


Availability refers to efforts made to prevent disruption of service and productivity.


There are two different ways of looking at the CIA properties of an information system:

  1. Information security, or InfoSec, focuses on features whose sole purpose is enforcing some aspect of security. The most important of those  features are authentication, authorization, and auditing. These security features make heavy use of cryptography.
  2. Application security, or AppSec, focuses on regular features that are designed and implemented in such a way that they do not compromise security. This is best realized as part of a Security Development Lifecycle (SDL) like the one we have at EMC.


Authentication is the act of verifying the credentials of an entity, like a user or an application. Credentials can be usernames, passwords, fingerprints, SecurID passcodes, etc.


Authorization is the act of granting access to a specific resource. This can be an entire application, or a much smaller piece of functionality. Authorization is also referred to as access control. The de facto standard for authorization is eXtensible Access Control Markup Language (XACML).


Auditing is the act of storing information about who did what when. Auditing is important for non-repudiation.


Cryptography is the practice and study of techniques for secure communication in the presence of malicious third parties. Cryptography is fundamental to security.


XML and Security

Every technology has security implications, and so does XML. From the InfoSec perspective we see some XML-based standards for authentication and authorization. From the AppSec perspective we see some potential vulnerabilities resulting from the (improper) use of XML.


Below is a list of articles in the XML and Security series:


Stay tuned for more articles and, more importantly, stay secure!