Lists Home |
Date Index |
On Tuesday 19 February 2002 10:23 pm, Mike Champion wrote:
> So, what's the current thinking about SOAP-RPC as a security risk in
> *plausible* scenarios where business services are exposed via SOAP?
> And is it generally accepted that a REST-ful worm couldn't happen,
> or is this wishful thinking on my part? I guess if you give me PUT
> access I could send you a virus that did all sorts of harm, but I'd
> still have to sucker you into running it ... with RPC, a mechanism
> exists for the remote user to execute code directly.
Given that most initial RESTful applications will use HTTP, I can't
see how they'd be intrinsically any safer than SOAP over HTTP.
FWIW. One of the basics of security is the notion of "least privilege"
which web services (indeed the web in general) almost explicitly goes
against because of the global namespaces.