[
Lists Home |
Date Index |
Thread Index
]
> From: Paul Prescod [mailto:paul@prescod.net]
<snip/>
> Bruce S. raised a serious technical issue that has not been refuted.
> I've documented others in an essay here:
>
> http://www.prescod.net/rest/security.html
>
> Let me say again: REST is not a security silver bullet. SOAP services
> are not guaranteed to be insecure.
>
> But specifications and communities can encourage security and make it
> easy or discourage it and make it hard. SOAP (whether RPC or
> "messaging") does the latter.
I fail to see how any of the points raised do not apply equally to web apps
being built today by developers using ASP, ColdFusion, PHP, or simple CGI
scripts -- with no SOAP involved. The problem I have is that SOAP is being
wrongly depicted as somehow making things worse. I don't see how it is
making things worse or better; it is just more of the same. And writing
articles about supposed security problems intrinsic to SOAP is just
contributing to misinformation. If developers are left to belive that their
ASP pages or CGI scripts are somehow intrinsically more secure than SOAP,
how is that helping?
I fail to see what's special about SOAP, here.
|
