[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: SOAP-RPC and REST and security
"Bullard, Claude L (Len)" wrote: > > Paul: > > "But the whole point of web services was that we would put services on > the public Web as we put websites on the public Web." > > http://www.prescod.net/rest/security.html > > Be sure that only idiots would expose their non-trivial business documents to > "the Web" through any kind of interface. Nothing gives a competitor such advantages as > to be able to see this stuff. How does a competitor get through the authentication? They steal a password? If they can do that, why can't they steal a password to your VPN or your webserver? > ... That is why contracts for proposal responses include language > about the public dissemination of the documents submitted. Highly secret documents can be "on the web". If you don't have the password you don't get the document. Putting it behind six layers of RPC adds no security. It boils down to: if you don't have the password you don't get the document. (where password is broadly interpreted as password, capability, private key, etc.) >... > Now step back from the "idiots" who bought the story Tim Berners-Lee sold them, and take a look > at how serious business professionals design software. They use requirements derived from contracts > derived from proposals sent in response to requests. No where in there is security deprecated > or overlooked. We have whole sections of responses dedicated to security. We will not expose > objects to the web that expose security holes. We are much more likely to partition the web > away from vital assets and use proper and well-understood techniques of dissemination management. You're building this wonderful system based on the software you get on MSDN CDs. And you trust it to maintain your security more than you do Apache? If the secret to security is "business professionals using requirements derived from contracts derived from proposals" then I guess we'll soon see an end to all of the hacking going around. All they need is a few more dollars on business professionals and requirements, right? That's enough to stop Microsoft from having any more massive holes in their operating system. That'll stop IBM's 4758 cryptographic co-processor from being hacked next time. It will prevent security leaks at the Japanese State Agency and major computer theft at Barclay's bank? Security is a discipline. It has nothing to do with how many layers of firewalls you have between your database and your public interface. It has to do with discipline. Schneier is famous for understanding how to apply the discipline. You ignore him at your peril. He takes Microsoft to task because they are famous for lack of discipline. That's why Bill Gates got a tounge lashing from George Bush's cyber security advisor. If you care about security I have no idea why you want to follow them down the MSDN path. I think that people who appreciate the discipline of security will understand what I've written here[1] and probably add to it. But it's brand new and time will tell. > That said, RPCs for intranet and URIs for extranet are just fine. The Network Is NOT the Computer. > Using services at the public level will require intense scrutiny. If your managers are idiots, > they may let you do things that are stupid, just as the NRC, DoD, and others did with URLs. Len, I have no idea what you are talking about. URLs can be used stupidly. Yes. So? Nobody said that you should turn off access controls. At some level your business documents have to interface with the Web. They flow to your business partners over HTTP. The only question is whether you take advantage of that and use the Web to secure them or just stack security flaws in SOAP implementations on top of whatever security flaws there may be in HTTP implementations. Paul Prescod [1] http://www.prescod.net/http/query_alternatives.html
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|