As agencies roll out more Web services, whether for citizen applications or internal government use, the National Institute of Standards and Technology warns systems administrators to be alert for attacks that focus on vulnerabilities common to eXtensible Markup Language.
NIST’s new Special Publication 800-95, Guide to Secure Web Services, offers pointers on ways to keep online services and applications that rely on service-oriented architectures from becoming leaky data sieves. It suggests using XML gateways to prevent:
- WSDL Scanning: Retrieving Web Service Description Language code to gain information useful for an attack.
- Parameter Tampering: Modifying a service’s parameters to bypass input validation and gain unauthorized access.
- Replay Attacks: Resending Simple Object Access Protocol requests, which are the data exchange queries, of sensitive transactions.
- Recursive and Oversized Payload Attacks: Sending messages to overload the XML parser and cause a denial of service.
- External Reference Attacks: Including external references in transactions that service will download after it has validated the XML code.
- Schema Poisoning: Supplying a schema that the service’s XML validator will accept and use, so that the service will clear a malicious document.
- Structured Query Language Injection: Providing parameters that can combine within the Web service to generate a SQL query created by the attacker.
- Buffer Overflows: Providing parameters that will overload the input buffers and crash the Web service or execute malicious code.
PMs See Eye to Eye With CIO Council
The CIO Council’s focus on government project management apparently jibes well with the views of federal managers themselves.
Since its creation a decade ago, the council has emphasized the need to improve project management in agencies, to make sure the government has qualified PMs and to create tools to help managers monitor projects so that they stay on schedule and under budget.
A new survey finds that project managers think the government lacks information technology tools that would help them do their jobs better. And, 69 percent of the 151 federal managers surveyed report that their agencies get one in five projects done on time and within budget.
51% My agency needs a standardized project management system.
42% My agency needs to replace homegrown management spreadsheets.
40% Agencies should deploy standardized systems for reporting and tracking projects.
38% Agencies should use standardized systems for reporting project problems in real time.
Look to the Wiki, for Heaven’s Sake
When you need a break from debating service-oriented architecture on the Intergovernmental Services Wiki (colab.cim3.net/wiki) or a breather from exchanging homeland security strategies on Intellipedia (a classified wiki for the intelligence community), check out the heavens — from your keyboard.
Of course, there are the many interactive links on the government’s own www.nasa.gov, but you can visit an imaginary galaxy built and maintained by an online community of nearly 2,000 at www.galaxiki.org. Galaxiki is a wiki for the stars — literally. The site has more than 1 million computer-generated stars, planets, moons and other orbital objects.
(Psst, if you get tired of sharing the galaxy, you can spend a few dollars and buy your own solar system.)
Find the Right Balance Between IT and Financial Management
What’s the value — not just of a system for information technology’s sake but to the business needs of an agency?
Without collaboration between an agency’s IT team and the finance chiefs, those questions can go unanswered, according to a research project of the American Council for Technology and the Interagency Advisory Council.
The research team did an in-depth analysis of five agencies’ efforts to get maximum IT-finance coordination when planning, approving, appropriating and deploying systems. A peek inside the Education Department’s successful use of its Investment Review Board led the team to offer four pointers:
- Make sure a wide range of program managers and staff members participate in reviews so that a clear picture of business needs and technical expertise are part of the decision-making process.
- Get the CIO involved early so that financial chiefs can understand IT constraints and goals — that way the reviews can focus on business value to the agency and on the customers of the project at hand.
- Select leaders for capital planning based on their understanding of how an IT project will be a business value to the agency rather than just on whether they have a lot of capital planning experience.
- Get third-party help creating IT business cases so that managers can work on advancing the agency’s mission.
To read the entire research paper “Business Value of CFO-CIO Collaboration,” go to www.actgov.org.
Off the Shelf/Recommended Reading
By Whom: Darlene Meskell, director of intergovernmental solutions for the General Services Administration’s Office of Citizen Services and Communications
Book: Wikinomics: How Mass Collaboration Changes Everything by Don Tapscott and Anthony D. Williams
Why: Collaboration is having a transformative effect on how societies harness knowledge and skill to innovate and create value. My office was established 11 years ago on the collaborative principle that “governments learn best from other governments,” across the country and around the world. As practitioners of peer-to-peer relationship building, we have been effective in bringing together senior IT leaders to share their experience, insights and lessons learned in addressing common issues. Wikinomics validates the power of this approach.
Most Important Takeaways: The four principles of wikinomics — openness, peering, sharing and acting globally — are changing the ways communities, states and nations govern themselves. Collaboration across government boundaries, and across sectors, will bring better decision-making and increase the productivity and effectiveness of the public domain. Technology permits an unprecedented level of transparency and increased public participation that will facilitate communication, knowledge sharing and innovation, and build trust in government.
Though federal managers, like those in most organizations, are not eager to cede control of their programs, they must find ways to leverage the “digital commons” to deliver the high standard of government service the public has every right to demand. As the authors put it, “Harness the new collaboration or perish.”