The SOA/XML Threat Model and New XML/SOA/Web 2.0 Attacks & Threats

Presented at DEF CON 15 (2007), Aug. 4, 2007, 5 p.m. (50 minutes).

Organizations that are implementing XML based systems, Web Services, Web 2.0 applications are discovering that there are security challenges unique to them that can surface throughout the various phases of lifecycle. Traditional network and application protection and infrastructure systems lack the functionality, performance, and operational efficiencies needed to provide a secure, cost effective solution. Web Services, SaaS and SOA provide significant benefits and efficiencies to organizations that implement them. However they also introduce new risk structures not seen in other applications or technology solutions before. This session investigates the nature of XML, Web Services and next generation threats, including a new threat model for categorizing and classifying threat types, attack vectors, and risks. The session covers new and evolving attacks and the potential damage and loss that they can cause. These include Payload, Semantic and Structural XML based attacks, as well as some Web 2.0 attacks and next generation worm threats.


Presenters:

  • Steve Orrin - Dir. of Security Solutions, Intel, Corp.
    Steve Orrin is Director of Security Solutions, for SSG's SPI group at Intel, Corp. and is responsible for Security Platforms and security strategy and product direction. Steve joined Intel as part of the acquisition of Sarvega, Inc. where he was their CSO. Steve was formerly Vice President of Security Solutions for Watchfire, Inc. Steve was previously CTO of Sanctum, a pioneer in Web application security testing and firewall software, and came to Watchfire through an acquisition of Sanctum. Prior to joining Sanctum, Steve was CTO and co-founder of LockStar, Inc. LockStar provided enterprises with the means to secure and XML/WebService enable legacy mainframe and enterprise applications for e-business. Orrin joined LockStar from SynData Technologies, Inc. where he was CTO and chief architect of their desktop e-mail and file security product. Steve was named one of InfoWorld's Top 25 CTO's of 2004 and is a recognized expert and frequent lecturer on enterprise security. He has also developed several patent-pending technologies covering user authentication, secure data access and steganography and one issued patent in steganography. Orrin holds an honors degree in research biology from Kean University and is published in several scientific and medical journals. Orrin is a member of the Network and Systems Professionals Association (NaSPA), the Computer Security Institute (CSI), SEI (Software Engineering Institute), International Association of Cryptographic Research (IACR) and is a co-Founder of WASC (Web Application Security Consortium) and the SafeSOA Taskforce. He participates in several OASIS, IETF and AFEI working groups.

Links:

Similar Presentations: