[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: RE: SOAP-RPC and REST and security


cgi soap rpc
2/20/2002 6:11:46 PM, "Dare Obasanjo" <dareo@m...> wrote:

>
>
>I expect that the people who are making the REST is more secure argument
>are primarily trying to promote an agenda instead of thinking critically
>about their statements which is rather unfortunate.  

I think the strongest claim that "REST is more secure" was my somewhat
naive statement in the initial post "I can't see offhand how a Melissa-esque
worm could spread via a REST web service."  Joshua quickly set me straight that
it wasn't the *protocol* that is to blame for Melissa, etc., it's 
the mail clients that allow scripting and/or human stupidity to execute 
unknown code in an attachment.  The assertions about SOAP's insecurity
were in Bruce Schneier's article, and I think we mostly agree that he's
over the top on this one.

I also made an argument that it is probably easier for a non-expert to
design a secure (i.e., impervious being used to spread a virus or worm)
RESTful document exchange than it is to design an equally secure RPC-based
web service.  I haven't noticed a refuation of that; in retrospect, I
guess if you can figure out how to trigger a buffer overflow on a server
and control the data that's in the overflow, you can raise hell whether
the data gets there by SOAP-RPC, SOAP messaging, REST, CGI, or whatever.
Probably *any* text-based message format (XML or URI) would seriously
constrain a hacker's ability to put nasty code in that overflow.   

The strongest case I could make against SOAP and web security after reading
this thread would be that it is relatively easy for a naive user of
a web service generating wizard to expose some object as a web service
that could be misused by a hacker out on the internet somewhere.  Again,
in retrospect, that would be true however the code code invoked, as
a SOAP RPC request, a CGI script, or while processing a REST message.
I'd say that it's somewhat more LIKELY for this to happen within the
development approach that RPC encourages than the approach that REST 
encourages, but I wouldn't want to press the point very hard.

I guess I *could* beat my favorite drum an argue that whichever approach
makes the actual code (not necessarily the code the developer writes directly)
more simple will be the one that is ultimately the more secure.  
"As part of the company's renewed focus on security and privacy, software 
developers will be urged to keep their code simple and, by extension, 
more secure, officials said. "There's a trade-off between security and 
complexity, and having developers not trained is a factor in that." 
[The quotes are from Steve Lipner, Microsoft's director of security 
assurance.  See http://www.eweek.com/article/0,3658,s=712&a=22612,00.asp ]

Whether REST or RPC differ significantly in that respect is To Be Determined.





PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
 

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.


Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.