Francois Lascelles

Subscribe to Francois Lascelles: eMailAlertsEmail Alerts
Get Francois Lascelles: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories by Francois Lascelles

SOA Best Practices Digest Although certain RESTful web services are of a ‘public’ nature and do not have specific security requirements such as authentication and authorization, any service that has an entry point from an untrusted network is subject to attack and proper threat protection measures are always an essential consideration. RESTful web services are closely aligned to the web itself and as such inherit all traditional threats from the web. Although network level threats are well understood and addressed by traditional firewall infrastructure, RESTful web services type APIs are also subject to content (or message) level threats. For example, consider APIs where XML payloads are POSTed and/or PUT from external requesters. A particularly dangerous threat was uncovered last summer involving a vulnerability in most XML parsing libraries used at the time. An... (more)

SOA Gateway Trends for 2011 and Beyond

It has been fascinating to witness how the use for SOA gateways evolved over time. In 2010, we saw an explosion of market demand for our gateway appliance product. Here are my thoughts for what I expect to see this year and beyond. Recent use cases for these types of devices largely focused on B2B interactions and internal enterprise integration. Many enterprise architects realized the benefits of using the lightweight ESB-in-a-box deployment model and gateway-based integration. I don’t think we’ve hit the peak of this type of use case. I expect the demand for quickly deployed int... (more)

The ESG Pattern


Are you still considering rolling out a major Enterprise Service Bus (ESB) stack — you know, the kind that involves a massive initial investment and takes 8+ months to deploy? This wasteful approach was a major factor in doomed corporate SOA initiatives that were common between 2003 and 2009. During this same period, clever architects ignored large vendor promises and realized that you simply cannot buy your way into an agile enterprise SOA. They instead focused on the tasks at hand, integrating existing IT assets, following SOA principles, using existing tools and adding lightwe... (more)

JSON Schema Validation for RESTful Web Services

In the article "The importance of threat protection for restful web services", I presented a number of content-based threats for XML. When protecting an endpoint from XML based attacks, not only are payloads scanned for code injections, malicious entity declarations and parser attacks, XML documents are actually validated against strict schemas that clearly describe expected document structures. Enforcing this type of compliance at the edge, in a SOA gateway for example, minimizes the risk of attacks of the Web service endpoint. Structure definition languages such as XML Schema ... (more)

WS Security Performance

The WS Secure Conversation specification describes a mechanism letting multiple parties establish a context (using the WS Trust Request Security Token standard) and secure subsequent SOAP exchanges. Each WS Secure Conversation session has an associated shared secret. Instead of using this shared secret directly to sign and encrypt the conversation's messages, symmetric keys are derived from the secret itself. Deriving new keys for each message and different keys for signature and encryption limits the amount of data that an attacker can analyze in attempting to compromise the con... (more)