A recent tweet about a free, Linux-based XML Security suite reminded me that we do not opine on the subject of XML security and its importance enough. SOA has certainly been batondethroned as the technology darling du jour by cloud computing and virtualization and with that forced abdication has unfortunately also come a reduction in the focus on XML and security.

That’s particularly disturbing when you recognize that what’s replaced SOA – primarily WOA and RESTful APIs – exchange data primarily via one of two formats: XML and JSON. Whether you prefer one over the other is a debate I’d rather not have (again) at the moment. It is enough to note that XML is widely used by developers to exchange data between applications and between clients and servers, and that it is the core data format for Web Services used to manage many cloud computing environments, such as Amazon’s AWS.

It’s important, then, to remember that many – nay, most – of the security risks associated with SOA were actually due to its reliance on XML. SOA is an architecture and aside from certain standards proscribing the use of data formats – SOAP, WSDL, UDDI – it carried with it very few tangible security risks. XML, on the other hand, carries with it a wide variety of security risks that have not suddenly “gone away” simply because it’s being used to implement APIs in both RESTful and SOAPy environments.

The risks associated with XML remain and it is likely far more dangerous now than it ever was to ignore those risks because it is used far more often than it has been in the past and for a much broader audience. XML security issues didn’t disappear, SOA simply passed them right along to AJAX, REST, and cloud computing.