Thanks for all the replies so far! I would just like to comment on
Holger Peine's and Mike Hines' viewpoints.
[EMAIL PROTECTED] wrote:
> I don't see a conflict here: A web service (just as any
> network-accessible
> service, no matter whether programmed using sockets, Java RMI, SOAP or
> whatever) is _intended_ to provide some function to the outside world,
> so you have to open _some_ door into your system. The advice about
> minimizing the attack surface is about not opening any doors you don't
> really need (or worse, didn't even intend to open).
As you say, any kind of system is _intended_ to provide some function.
But security bugs often hide in unintended, undocumented or unknown
functionality. By increasing the attack surface you also increase the
risk of adding unknown functions.
Mike Hines commented on web services running everything through port 80
(HTTP) as negating "... any value of firewalls and most likely intrusion
detection systems". Indeed, web services tunnel a lot of functionality
through port 80, effectively hiding it from many system monitoring
defense measures. The security will rely on validating SOAP envelopes
and prevention at the application/run-time system level. It seems to me
like a huge burden.
Regards, John
____________________________
John Wilander, PhD student
Computer and Information Sc.
Linkoping University, Sweden
http://www.ida.liu.se/~johwi
_______________________________________________
Secure Coding mailing list (SC-L)
[email protected]
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
