Software tests security of XML applications.
Share:
Press Release Summary:
Vordel SOAPbox v3.1 security testing tool, used during development and deployment phases, ensures XML application complies with security standards and best practices. It also tests defenses of XML gateway and SOA security solutions and can highlight security tokens, signatures, and encrypted content in XML documents. Able to test interoperability for Web Services deployments, program lets users design and prototype security policies for XML applications before deployment.
Original Press Release:
Introducing Vordel SOAPbox 3.1
The industry's most widely used security testing tool for XML applications
Ensure that your XML applications comply with corporate security policies
Test the defences of your XML gateway and SOA security solutions
Test interoperability for all your Web Services deployments
Design and prototype security policies for XML applications before you deploy
Overview
Vordel SOAPbox is the industry's most widely-used tool for testing the security of XML applications, such as XML Web Services. It is used during development and deployment phases to test an XML application's compliance to security standards and best practices. SOAPbox highlights security tokens, signatures, and encrypted content in XML documents.
SOAPbox supports established security technologies such as SSL and HTTP-Auth, as well as next-generation security technologies such as WS-Security and SAML. Registered SOAPbox users include Accenture, Abbey National, BankOne, British Telecom, Cisco, Credit Suisse First Boston, DaimlerChrysler, HBOS, Royal Bank of Scotland, and many others.
Latest features include:
Sample SOAP messages
Get started quickly with SOAP messages secured using the Vordel sample private key.
XML Encryption and decryption
EncryptedData blocks can be decrypted easily.
SOAP attachments: DIME support in addition to MIME
DIME is a transport mechanism that allows the inclusion of attachments containing XML messages.
Graphical Keystore
Load multiple keys and certificates without using command-line tools. With the new keystore it is possible to encrypt XML for multiple recipients in one simple step.
Remove Security Tokens
Automatically remove security tokens from messages so that you can quickly and simply move on to your next test.
Specify Transfer Encoding
Configure XML encoding declarations of the message so XML processor will use the declaration to determine the character encoding of the message.
Email support
Full email support from Vordel's online support desk.
Frequently Asked Questions:
What is SOAPbox?
Is Vordel SOAPbox a programming toolkit?
Is the SOAPbox only for SOAP messages?
Who uses SOAPbox?
How does SOAPbox test the security compliance of an XML application?
What are the system requirements to run Vordel SOAPbox?
When I download SOAPbox, where do I start? Is there a quick-start guide?
How much does Vordel SOAPbox cost?
If I'm planning to only use SSL to secure my Web Service, and have no plans to use WS-Security, so can I still use Vordel SOAPbox?
Can I use Vordel SOAPbox to add security to my Web Services?
Do I need to understand new Web Services security technologies such as WS-Security and SAML in order to use Vordel SOAPbox?
Does SOAPbox support Web server security technologies, such as SSL and HTTP-auth, as well as Web Services security technologies such as WS-Security?
Many XML security standards, such as XML Signature and XML Encryption, require me to generate keys and certificates. Does SOAPbox help with that?
SOAPbox supports XML Encryption. But can it be used to decrypt XML also?
I haven't built any XML applications yet, but I'd still like to use SOAPbox to learn about security standards. Are there sample applications I use?
Is support provided for SOAPbox?
Does SOAPbox allow me to use custom HTTP headers?
I need an application that will perform XML Signature and XML Encryption, like SOAPbox except not menu-driven. Does Vordel have such an application?
How do I get Vordel SOAPbox?
What is SOAPbox?
SOAPbox is a graphical application that acts as a testing client for an XML application, such as an XML Web Service. SOAPbox creates signed and encrypted XML messages, supports SSL and WS-Security and SAML, as well as SOAP attachments using MIME and DIME. In this way, SOAPbox can test the security policies used at an XML-processing application.
Is Vordel SOAPbox a programming toolkit?
No. Vordel SOAPbox is a graphical application which requires no programming to operate. It is designed to make it as easy as possible to generate digitally signed and encrypted XML documents, in order to test the security of an XML application.
Using SOAPbox, a tester can select a portion of an XML document and choose to sign or encrypt the elements which they have selected. Doing the equivalent operation using a programming toolkit would involve knowledge of XPath, XML Signature and XML Encryption, and, of course, a programming toolkit.
Is the SOAPbox only for SOAP messages?
No. Although it is called "SOAPbox", the SOAPbox can also be used to test applications that use so-called "Plain Old XML" without a SOAP envelope. For example, the screenshot below shows SOAPbox used to digitally sign part of an XML document, before sending it to an application over HTTP. In this way, the tester can see how the application behaves when the message is not signed, when the signature is broken, or when an untrusted certificate is used.
Who uses SOAPbox?
SOAPbox is used by developers, architects, and testers who wish to test the security policies used by their XML applications. Registered SOAPbox users include Accenture, Abbey National, BankOne, British Telecom, Cisco, Credit Suisse First Boston, DaimlerChrysler, HBOS, Royal Bank of Scotland, and many others.
How does SOAPbox test the security compliance of an XML application?
SOAPbox is used to test the following:
Test client-side SSL and server-side SSL
Test how an application responds to an unexpected attachment (e.g. an executable sent in an attachment).
Test how an application processes XML messages that have been signed, including messages with broken signatures
Test how an application processes encrypted XML
Test compliance to WS-Security
Test SAML compliance by constructing SAML assertions
Highlight the security tokens in a SOAP message
Avoid having to write code to test the security of an XML application
Without using SOAPbox, testing would involve either programming a client application, or else would be left to chance.
What are the system requirements to run Vordel SOAPbox?
The following operating systems are supported:
Microsoft Windows including Windows 2000, XP and NT
Linux (including SuSe Linux, Redhat, and Debian)
Solaris
The hardware requirements are:
64Mb RAM
20Mb free disk space
SOAPbox includes a JAVA Virtual machine preconfigured to run with the download
Vordel SOAPbox uses a Java Virtual Machine which is configured with a security provider. For convenience, a pre-configured JVM is bundled with the download, and installs automatically.
When I download SOAPbox, where do I start? Is there a quick-start guide?
The quick-start guide is here.
How much does Vordel SOAPbox cost?
SOAPbox can be downloaded for free on a 1-day trial basis. After that it costs $99 for a perpetual license. Discounted pricing is available for multi-seat licences. Contact Vordel sales (sales@vordel.com) to enquire about a muliti-user licence.
If I'm planning to only use SSL to secure my Web Service, and have no plans to use WS-Security, so can I still use Vordel SOAPbox?
Yes. Vordel SOAPbox supports SSL, and allows you to test your SSL-protected Web Services by sending them XML messages over SSL. It supports client-side as well as server-side SSL. In fact, a popular use for SOAPbox is to test client-side SSL authentication.
Can I use Vordel SOAPbox to add security to my Web Services?
No. Vordel SOAPbox is a testing tool which is used to test the security of a Web Service. It's a useful tool to test the security configuration of a Web Service. Tools such as VordelSecure, the VS3000, and VordelDirector are used to add security to Web Services. These tools make it easy to configure and enforce policies such as "all XML must be digitally signed by a trusted partner, must arrive over SSL, must be logged, must not contain SOAP attachments, and must conform to the appropriate Schema."
Do I need to understand new Web Services security technologies such as WS-Security and SAML in order to use Vordel SOAPbox?
No. In fact, Vordel SOAPbox is a useful tool to learn about these new Web Services security technologies, since it can shows the input and output of secure Web Services in a simple GUI.
The intuitive interface allows SOAPbox users to learn about Web Services security standards. SOAPbox presents a tree-view of security tokens with security tokens and signatures automatically highlighted (see screenshot below).
Does SOAPbox support Web server security technologies, such as SSL and HTTP-auth, as well as Web Services security technologies such as WS-Security?
Yes. SOAPbox supports server-side and client-side SSL, basic HTTP Authentication, and digest HTTP Authentication. This means that SOAPbox can be used to test the security configuration for normal Websites, as well as testing Web Services. In fact, many existing SOAPbox users are using the tool to test client-side SSL configuration for Websites that are protected using HTTPS.
Many XML security standards, such as XML Signature and XML Encryption, require me to generate keys and certificates. Does SOAPbox help with that?
Yes. SOAPbox includes a built-in Keystore which can import keys from a variety of sources, in a PEM and PKCS#12 format. For your convenience, a sample key-pair is provided with SOAPbox.
The operation of SOAPbox's keystore does not require the command-line, it is all GUI-based.
SOAPbox supports XML Encryption. But can it be used to decrypt XML also?
Yes. You can use SOAPbox to decrypt content that has been encrypted using XML Encryption, providing you have access to the appropriate cryptographic key. The following screenshot shows encrypted XML content which can be decrypted using SOAPbox.
I haven't built any XML applications yet, but I'd still like to use SOAPbox to learn about security standards. Are there sample applications I use?
Yes. SOAPbox comes pre-configured with a number of sample Web Services which you can test against.
Is support provided for SOAPbox?
The complete documentation for SOAPbox is available online. We also have an FAQ which contains answers to some more obvious questions. Please check these documents before you contact us. Please send feedback or problem reports to soapboxsupport@vordel.com
Does SOAPbox allow me to use custom HTTP headers?
Yes. In the following screenshot, we see SOAPbox being used to configure custom HTTP headers to be sent to an XML-consuming application.
I need an application that will perform XML Signature and XML Encryption, like SOAPbox except not menu-driven. Does Vordel have such an application?
Yes! VordelDirector provides "security services" for signing and encrypting XML documents. You can send XML to VordelDirector in order to have it signed, encrypted, decrypted, or validated.
In the screenshot below, we see a VordelDirector "Signing Service" in action. SOAP messages sent through the signing service are automatically signed.
