The problem is, SSL is not--and should never be considered--a security panacea. Although SSL and similar transport-encryption protocols protect your content in transit, the vulnerabilities against which those protocols protect are not peculiar to Web services. These mechanisms do not begin to address the real insecurities inherent in Web services.
By Invitation Only
Because XML is human-readable, if it's intercepted in transit, it can provide a wealth of information, not only from the data being exchanged, but from the structure of that data. Although both HTML form data and XML comprise name-value pairs, XML is hierarchical and often models an internal database schema, making relationships between the data more readily apparent compared with data encoded in an HTML form. Enabling XML output directly from IIS results in the same vulnerabilities: A schema, and resulting output, are pulled directly from the database and can be used to map tables and columns, giving great insight into the internal workings of your organization.
Most Web services development tools and platforms promise rapid development of services, but do so without worrying about pesky details like, say, the exposure of sensitive corporate structures easily abstracted from the generated WSDL and XML schema necessary to build a Web service.
Also exposed in a Web services architecture are the specific methods, or functions, being called. Generally, the methods documented in the WSDL are pulled from code and rarely obfuscated, as is the case with Web-based form submission. The granularity required by a service-oriented architecture means that your internal business process could be abstracted from its associated application code. An HTML form may pass information back to an application, but the underlying function calls--often meaningfully named--are not exposed.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
