Re: XML Reaks of Insecurity: seven key XML-specific security issues that must be addressed

From: Scott Brown <r_dot_scott_dot_brown_at_gmail_dot_com>
Date: Mon May 02 2005 - 07:16:52 CDT


As a self-admitted "non-expert", I think you should realize that the amount
of due diligence necessary on your part before sounding the alarm should be
much higher than simply googling for "XML security" and pasting whatever
comes to the surface.

As a professional software developer, let me simply say that the articles
you forward here do not raise any security issues with XML. The first
article ("Crypto-Gram Newsletter", June 15, 2000) is mostlyconcerned with
influencing the design of an emerging standard, the then-fledgling XML
technology. These are old arguments that, I assure, have not stood the test
of the last 4 1/2 years since this small article was written

Like your previous DB2 message, the remaining items regard security flaws in
their constituent products (primarily IBM's Websphere Java Application
Server product) and do not address any inherent problems with XML, per se.

I can't comment in the ebizQ article, as clicking on the link brought me to
an unrelated area of that site.

-- Scott

On 5/2/05, JamBoi <> wrote:
> Ya know... due diligence is a wonderful thing. Even a non-expert like
> me can run Google and discover all these incredible vulnerabilities of
> XML to cracking attacks. And just think, if me a non-expert in XML can
> find all this in just a few minutes of Googling you KNOW its just
> scratching the surface. There's so much smoke coming off this side of
> Sacred Cow XML I'm certain there's some fire in there. Hmmm... the
> Sacred Cow XML is seriously failing the smell test. Think I'll send it
> back to the kitchen! In the meantime check these numerous items out:

OVC discuss mailing lists
Send requests to subscribe or unsubscribe to
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Tue May 31 23:17:05 2005

This archive was generated by hypermail 2.1.8 : Tue May 31 2005 - 23:17:52 CDT