Securities Perspective in ESB-Like XML-Based Attacks: Interface Abstraction, Data Privacy, and Integrity

Introduction

ESB where considered as a service oriented infrastructure component which actually helps services to interact via messages and events. But now a days’ paradigm has been changed and the SOA which helps in providing B2B services and cutting cost effectively is no more reliable with traditional ESB. Because XML attacks/injection is not only a factor while using ESB but data privacy & integration is also a major concern. Protection of internal applications is one of them while interfaces are exposed to external parties in B2B/server to server communication and henceforth data privacy & integrity can’t be maintained most of the times. Interface abstraction was not as powerful to encapsulate the message among layers due to the emerging XML based attacks where you IP based firewalling is not enough instead the application interaction using the service interfaces like XML, JSON, SOAP and REST API etc.

One of the best solution is to use SOA Gateways instead of traditional ESB where not only it protects from new threats like XML based but also provides endpoint abstraction plus message and field level data integrity and privacy as well. The only thing while deploying the SOA gateways is vendor implementations for example custom code shall not be allowed to add to your XML gateway just like we don’t add any custom code at network packet firewall. And the only IBM DataPower (2016) and Forum Sentry are the products who don’t permit code to be injected or dropped at XML gateways while CISCO ACE Gateway (Cisco, n.d.) does. So choosing the appropriate protocol with appropriate format to deliver the message to the target destination is one of the crux to keep in mind for SOA Gateway Vendor implementations (SOA Expressways, n.d.). But it doesn’t mean that we exclude the idiosyncrasies or security features of SOA gateway which ultimately once configured correctly will guaranteed the best security in the environment. There is believe that SOA gateway can be worked and considered as half of Web Application Firewall as it allows to configure the policies and ACL.

So this is not just limited with the limitations and security aspect in ESB. There is much more detailed and descriptive information has been required to depth look into to actually know how the new threats actually like XML attacks intercept the request and response and do the malicious tasks as per they like. XXE based attack, Injection & generator attack are just one of the kind. How in depth privacy comes into the picture and how actually it evades at deep web network? How & what kind of privacy laws and security certifications (ex. FIPS 140-2 gold standard) can provide security assessment? Why traditional approach of ESB was not sufficient enough to protect the data in message? What kind of OWASP TOP 10 vulnerabilities comes into the play, what are their severity score to hamper the business and what could be the mitigations? What Keys, Encryption/Signature policies can be utilized to secure at XML gateway?