Peter Soderling and Steve Orrin to Demonstrate New Cloud Security Breaches at RSA Conference 2009

Share Article

Peter Soderling, CEO and founder of Stratus Security Technologies, and Steve Orrin, Intel's director of security solutions, will demonstrate new kinds of Internet attacks known as XML bombs at the RSA conference in San Francisco on Tuesday, April 21, 2009 at 5:40 p.m. The attacks threaten companies and consumers using APIs and web services.

As organizations adopt XML and Web 2.0 services and architectures, it is important they understand the grave risk these new technologies can pose

Peter Soderling, CEO and founder of Stratus Security Technologies, and Steve Orrin, Intel's director of security solutions, will demonstrate new kinds of Internet attacks known as XML (Extensible Markup Language) bombs at the RSA conference in San Francisco on Tuesday, April 21, 2009 at 5:40 p.m.

XML bombs are an emerging class of Internet cloud security attacks that threaten any company offering content and data via web services and application programming interfaces (APIs). The attacks also threaten the consumers who use the sites.

APIs let web developers make their sites' content and data easily available as web services to other developers, who use the services in their sites and software. In a recent survey of IT professionals, web services were cited as the most important trend that will impact their business. By 2013 web services are projected to become a $35 billion industry, according to McKinsey & Company.

While APIs enable sites to share content and create new services more easily, they also create new avenues for malevolent hackers. According to the Open Security Foundation, 14 percent of data theft occurs through web services. With an estimated $1.2 billion in losses in 2008, these data leaks are not only embarrassing, they're costly.

"As organizations adopt XML and Web 2.0 services and architectures, it is important they understand the grave risk these new technologies can pose," said Orrin.

Soderling and Orrin will provide the public debut of new attack methods in order to raise awareness within information security circles, among people who manage web services and APIs for their companies, and among people who use sites, such as Facebook and Twitter, that share their content and data with other sites via APIs.

In the session, titled "XML Attacks and Prevention in a Web 2.0 World", Soderling and Orrin will demonstrate XML bombs researched in association with research with the Center for Advanced Defense Studies. Examples include the following:

  • RSS attack: the attacker injects attack code into a site's RSS feed, which is delivered through the API to client machines requesting information from the site.
  • Entity expansion attack: the attacker creates an XML request process that refers back to itself, creating an endless loop that causes the targeted server to stop responding to other requests.
  • XPath injection: the attacker uses a language known as XPath to inject queries through an API in order to view other users' data (such as account numbers).

"What developers need to understand is that security is a whole new ballgame when it comes to deploying APIs. In addition to all the common application security concerns like SQL injection and broken authorization, they need take steps to protect the XML parser as well, otherwise a savvy hacker will exploit their weak API defenses and steal data or take the service offline," says Soderling.

Soderling and Orrin also will discuss other web service attacks, including a recent spate of Twitter attacks, and they will outline the best ways to prevent attacks and protect content and data in the cloud.

The RSA Conference, now in its eighteenth year, brings together the world's largest community of information security professionals. The event will be held April 20-24 at the Moscone Center in San Francisco. For more information about the event, please visit http://www.rsaconference.com .

For more information on "XML Attacks and Prevention in a Web 2.0 World" please contact Stratus Security
or follow Stratus Security via Twitter at StratusSecurity.

# # #

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Lynda Radosevich

Pete Soderling
Visit website