xml-dev - Re: RE: [xml-dev] SOAP-RPC and REST and security

Re: RE: [xml-dev] SOAP-RPC and REST and security

[ Lists Home | Date Index | Thread Index ]

To: xml-dev@lists.xml.org
Subject: Re: RE: [xml-dev] SOAP-RPC and REST and security
From: Mike Champion <mc@xegesis.org>
Date: Wed, 20 Feb 2002 19:28:03 -0500
In-reply-to: <8BD7226E07DDFF49AF5EF4030ACE0B7E055714D8@red-msg-06.redmond.corp.microsoft.com>

2/20/2002 6:11:46 PM, "Dare Obasanjo" <dareo@microsoft.com> wrote:

>
>
>I expect that the people who are making the REST is more secure argument
>are primarily trying to promote an agenda instead of thinking critically
>about their statements which is rather unfortunate.  

I think the strongest claim that "REST is more secure" was my somewhat
naive statement in the initial post "I can't see offhand how a Melissa-esque
worm could spread via a REST web service."  Joshua quickly set me straight that
it wasn't the *protocol* that is to blame for Melissa, etc., it's 
the mail clients that allow scripting and/or human stupidity to execute 
unknown code in an attachment.  The assertions about SOAP's insecurity
were in Bruce Schneier's article, and I think we mostly agree that he's
over the top on this one.

I also made an argument that it is probably easier for a non-expert to
design a secure (i.e., impervious being used to spread a virus or worm)
RESTful document exchange than it is to design an equally secure RPC-based
web service.  I haven't noticed a refuation of that; in retrospect, I
guess if you can figure out how to trigger a buffer overflow on a server
and control the data that's in the overflow, you can raise hell whether
the data gets there by SOAP-RPC, SOAP messaging, REST, CGI, or whatever.
Probably *any* text-based message format (XML or URI) would seriously
constrain a hacker's ability to put nasty code in that overflow.   

The strongest case I could make against SOAP and web security after reading
this thread would be that it is relatively easy for a naive user of
a web service generating wizard to expose some object as a web service
that could be misused by a hacker out on the internet somewhere.  Again,
in retrospect, that would be true however the code code invoked, as
a SOAP RPC request, a CGI script, or while processing a REST message.
I'd say that it's somewhat more LIKELY for this to happen within the
development approach that RPC encourages than the approach that REST 
encourages, but I wouldn't want to press the point very hard.

I guess I *could* beat my favorite drum an argue that whichever approach
makes the actual code (not necessarily the code the developer writes directly)
more simple will be the one that is ultimately the more secure.  
"As part of the company's renewed focus on security and privacy, software 
developers will be urged to keep their code simple and, by extension, 
more secure, officials said. "There's a trade-off between security and 
complexity, and having developers not trained is a factor in that." 
[The quotes are from Steve Lipner, Microsoft's director of security 
assurance.  See http://www.eweek.com/article/0,3658,s=712&a=22612,00.asp ]

Whether REST or RPC differ significantly in that respect is To Be Determined.

Follow-Ups:
- Re: RE: [xml-dev] SOAP-RPC and REST and security
  - From: Al Snell <alaric@alaric-snell.com>

References:
- RE: [xml-dev] SOAP-RPC and REST and security
  - From: "Dare Obasanjo" <dareo@microsoft.com>

Prev by Date: agendas
Next by Date: RE: [xml-dev] SOAP-RPC and REST and security
Previous by thread: agendas
Next by thread: Re: RE: [xml-dev] SOAP-RPC and REST and security
Index(es):
- Date
- Thread