Book review: XML security books

Wednesday, 2 October 2002, 9:47 AM EST

When you read the XML specification, you will notice that it contains no notion of security. Critical security functionalities such as encryption, digital signatures, and authentication are simply not part of the XML standard. XML is similar to many other protocols, languages, and operating systems in that it was originally developed without any thought to security and privacy. It is only after serious security vulnerabilities are discovered and publicized that they are patched. But this find, patch, fix mentality of information security is dangerous in that security problems can exist for months or years before they are found.

Similarly within XML, much of the security functionality has been added post-facto, namely in Canonical XML, XML Signature, and XML Encryption Syntax and Processing. By adding security to the core feature set of XML, the W3C has ensured that, to a degree, the find, patch, fix method won't be the manner in which XML security is developed.

A good reference book can help you navigate this XML security landscape. A pair of recent books, Secure XML: The New Syntax for Signatures and Encryption and XML Security do a good job of showing how XML can be made secure.

[ Read more ]


More than 900 embedded devices share hard-coded certs, SSH host keys

SEC Consult analyzed firmware images of more than 4000 embedded devices of over 70 vendors and found that, in some cases, there are nearly half a million devices on the web using the same certificate.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th