Why do I have this nagging feeling it should be Week 8???? Ugh, I am going to need a vacation! I guess this is what happens when you have a one day break between two semesters.
This week's topic:
You might post about your experiences with the assignments, or perhaps observations from fellow students. Alternatively, this week you can consider technical aspects of cybersecurity. What tools or technologies are beneficial for Cybersecurity Professionals.
I am hoping "Coach" will allow me to post on the tools and technologies next week as that will be when I return from DEFCON 20 and I should have a ton of information to post on here.
This post actually comes from a discovery I made in my other class which is XML. This week, for discussion, the professor gave us the freedom to post on whatever we wanted regarding XML. Since my major is Cybersecurity and not Web Application Design, I started a discussion regarding the security of XML. I needed to get into a topic I was a bit more comfortable in.
I will copy and paste my original post for the class and then give you my thoughts afterwards:
For those who don't know, I am actually getting my Master's in Cybersecurity. The class I needed was not offered this semester, so I thought I would take this course. It has been a struggle as I thought this would be a course I could easily understand, but I am finding out that this has been one of my harder classes (that and with all the summer activities, finding time to get my assignments in on time is a bear!). What caught my interest though was XML is web applications. You read on the news all the time about Yahoo! being hacked and user names and passwords being stolen by SQL injection. I took this course to see that side of hacking. While it is not SQL injection, XML still must be secured.
In going through the tutorials, there is a lot of data that can be accessed through XML. We have already done real estate, sales, and in some cases, personal information that you really do not want online. This piqued my interest. How secure is XML anyways?
I found two interesting articles for securing XML web applications. One is dated for 2004. Being frustrated that most of my hits were so old, I narrowed my Google search to the last year and actually found one written 14 June 2012!!!! Yay me!
The first article is Ten Guidelines For Deploying Secure XML Web Services.
Now, it would appear to me that this is mostly for web services that utilize XML. Sometimes I'm not the brightest person in the world, so feel free to thwap me with a large trout and correct me. XML is being used though and while sites like mine may not say "XHTML", they do use XML tools such as CSS. In this article, you read that it is important to validate the XML messages using XML Schema Definitions (XSD) and use XSLT to transform XML messages. When reading that, I thought, "HEY! I'm learning about that now!"
The second article is by IBM: Securing Web Services For Version 5.x Applications Using XML Encryption
This is actually the second time I saw XML encryption in an article. The one above briefly mentions it, but this one goes into it more in depth. In fact, the article states:
"WebSphere Application Server provides several different methods to secure your Web services. XML encryption is one of these methods. You can secure your Web services using any of the following methods:
- XML digital signature
- XML encryption
- Basicauth authentication
- Identity assertion authentication
- Signature authentication
It is probably safe to say that most of you are majoring in some sort of web management degree. While there is no such thing as true security, there are means to make it more difficult for someone like me to get into your stuff. The digital world makes it easier and easier to commit crimes from long distances. Information is currency which is why ID theft is on the rise.
- Pluggable token"
In looking at the text, I did not find anything on XML encryption. Perhaps it is because it is done very similarly to encrypting other files and e-mails the same way. The receiver must have the sender's key in order to decrypt the message/file.
Finally, just to give you something to think about, our favorite website www.w3.org has an article "XML Hacking is Fun!" I'm going to DEFCON next week. Guess what I am going to play with??? ;-)It has spurred on an interesting discussion in the class. This discussion caused me to realize that there are many systems and codes that we need to secure and we may not know about. Had I not taken XML, it never would have crossed my mind that it existed or could be breached. It just goes to show exactly how much information there is out there and how much I don't know. But knowing what I don't know is a beginning to knowing.
No comments:
Post a Comment