News.com reports on the need to secure XML and Web Services.

Many years ago, David Megginson talked about new kinds of security vulnerabilities created by XML, primarily through it's careless use of external resources such as DTDs and entities, at an XML conference.  At the same conference, first BoF meeting on SOAP was held.  Since then discussions over security surfaced occasionally among XML geeks but no one else really noticed until now.

The rise in the number of articles like this one is, IMHO, driven by security companies extending their reach into XML and web services market and not by increasing hacker activities against XML and web services.  Vulnerabilities are real, thanks to careless adoption of XML and web service technologies by mainstreamers and the general lack of awareness by XML developers, but hackers are not likely to come knocking at those vulnerabilities.

Why?  Because, if vulnerabilities in HTML-driven websites and web applications are antelopes and zebras, vulnerabilities in XML and web services are like monkeys and gophers.  Why would lions climb trees or dig into gopher holes when there are millions of more attractive preys?

Of course, some hackers will come knocking but developers can easily move higher up the tree by using hardened manageable XML processors and web service engines which will emerge out of the glut of feature-happy, vulnerability laden XML and web service tools accumulated over the past 7 years.  Education and awareness is what the market needs most of all, not expensive boxes or software peddled by security companies.

I will add XML and web services vulnerabilities to my stable of post topics as well as discussing the real dangers of web services arising out of increasing ad-hoc dependencies among web service providers.