XML Editor - Download a Free Trial >
See What's New >
Buy Now >

[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

SOAP-RPC and REST and security

rest security
Play the video
One more issue on RPC vs REST -- security.

I'm not sure this is a differentiator, but consider this section of 
http://www.counterpane.com/crypto-gram-0202.html#2

"And one of the simplest, strongest, and safest models is to enforce a rigid separation 
of data and code. The commingling of data and code is responsible for a great many 
security problems...

"Implementation of Microsoft [sic] SOAP, a protocol running over HTTP precisely so it 
could bypass firewalls, should be withdrawn. According to the Microsoft documentation: 
"Since SOAP relies on HTTP as the transport mechanism, and most firewalls allow HTTP to 
pass through, you'll have no problem invoking SOAP endpoints from either side of a 
firewall." It is exactly this feature-above-security mindset that needs to go. It may be 
that SOAP offers sufficient security mechanisms, proper separation of code and data. 
However, Microsoft promotes it for its security avoidance. "

One could surely argue that REST *does* rigidly separate code from data, and I can't see 
offhand how a Melissa-esque worm could spread via a REST web service.  What about SOAP-
RPC, though?  I'm inclined to think that the article is unfair (and the prescription 
draconian), because a SOAP RPC call could only invoke a procedure that had been 
installed on the target machine it's impossible to secure a system against idiocy.  On 
the other hand, I can imagine people getting carried away and making all sorts of OS-
level stuff accessible via SOAP-RPC without thinking too hard about it, and that could 
lead to SOAP-y worms.  

So, what's the current thinking about SOAP-RPC as a security risk in *plausible* 
scenarios where business services are exposed via SOAP?  And is it generally accepted 
that a REST-ful worm couldn't happen, or is this wishful thinking on my part?  I guess 
if you give me PUT access I could send you a virus that did all sorts of harm, but I'd 
still have to [expletive deleted] you into running it ... with RPC, a mechanism exists for the remote 
user to execute code directly.

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
 

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.


Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

XML Editor - Download a 15 Day Free Trial Now >
See What's New in Stylus Studio >
Buy Stylus Studio - XML Editor - Now >
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.