SOA Security: External Schema Validation?

SOA Security – protecting your SOA and underlying infrastructure against hackers - is a constant battle. Invoking external schema validation may sound like added protection; however, this approach can actually leave you more vulnerable to attacks.

The Idea: "Hackers Will Never Touch Our Data: We Have External Schema Validation"

Academic Business Services (ABS), a chain of schools specializing in academic degrees for working adults, wanted to increase its Web services security. It decided to invoke external schema validation. This setting allowed the schema "check" to reside in an alternate location, thus reducing the risk that hackers would be able to decipher the schema using carefully constructed "probing" transactions.

Why It Wasn't So Smart

Often the location of the external validation can be deciphered from the transaction response. A hacker quickly discovered that he could spoof ABS' IP and change the location of the company's schema check. He then initiated transactions with an alternate schema and had it verified by the faux schema validation at the spoofed IP address. This caused the failure of legitimate transactions.

So, although hackers could not obtain important data from ABS, they still succeeded in impacting its business.

SOA security is not guaranteed by external schema validation: hackers are still able to impact the operation of the business.

SOA security is not guaranteed by external schema validation: hackers are still able to impact the operation of the business.

A Better Approach to SOA Security

You can safeguard your schema by following a few simple steps. First, give the schema to your partners, since you can directly contact them. Then put schema validation on an internal table that is secured by both traditional perimeter defenses and end-point security.

Complete SOA security cannot be obtained through any single means: by employing a firewall – or by invoking external schema validation, for example. Any single approach to SOA security will ultimately be defeated by hackers. The organization must take a much more aggressive approach, employing multiple means of defense in order to secure the services network.

For More Information

Find out more about SOA security: download the free white paper, XML Web Services Security: Going Production

The Secret to SOA Security is not External Schema Validation: Understand Why

Download the free white paper, "SOA Worst Practices, Volume I," now.

Note: The items in BOLD are required fields. You must supply a valid email address to complete the registration.


First Name
Last Name
Company
Title
Job Category
Industry
Email
Telephone
Address 1
Address 2
City
Country
State/Prov
Postal Code