Four years of XML at the RSA Security Conference
2005 will be my fourth year speaking on the subject of XML and Web Services security at the RSA Security Conference. In fact, it's my fifth year if you count the 2001 RSA Europe Conference which was a virtual conference (due to the Sept 11 attacks, the conference happened over conference calls).
Back at the 2002 conference, after my talk on XML security I was swamped with questions about the justification for XML in the first place. At that time, many people had gotten wind of the XML hype but then were surprised to discover that XML is "just text". It wasn't until XML became really widely used that the justification for it became obvious - you use it because everybody else does and because there are all these tools which support XML. And, ironically, that wouldn't have happened unless it began with a lot of hype behind it, to bootstrap the whole process.
At the 2003 and 2004 conferences, nobody asked about whether XML was all just hype and would evaporate as people realised it is "just text". But XML was still new enough that people hadn't really thought about its security risks. At the 2003 conference, I worked through a SQL Injection and "XML bomb" example. In another talk, I spoke about how the individual tenets of security (authentication, authorization, etc) are mapped to Web Services. I continued this pattern in 2004, where there was a whole track on Web Services security.
For 2005, I'm talking about how security is mapped to a Services Oriented Architecture. It's a continuation of ideas from this article I wrote last year for Enterprise Architect magazine, and draws on Vordel's experiences delivering products to secure the SOAs of customers around the world. If you're considering an SOA, or just starting out with some Web Services, but aren't going to be at the RSA Conference, then feel free to get in touch via the email button on the right-hand side of this page and I'll send you a summary and PDF of the slides.