Lists Home |
Date Index |
> From: Mike Champion [mailto:firstname.lastname@example.org]
> Is that an appropriate analogy? Is the potential security
> problem we've
> been talking about at the tool level rather than the protocol level?
> And how likely is it that a semi-competent developer using a modern
> web services wizard would "cut his arm off" accidentally?
I think Paul has valid points. But I think the far bigger danger is not SOAP
itself, but these power tools in the hands of *naive* developers.
I recently remembered a real world "security breach" that I thought I'd add
to the discussion. This is something I was informed of by a client when I
worked as a consultant a couple of years ago. For obvious reasons, I won't
go into great detail (or name any names).
While working on an unrelated project, our team found out from the customer
(a company in the travel industry) that their existing web-based reservation
system had been "hacked". The system would present the user with a set of
choices (with associated prices) in their browser. When the user selected
one, it would post a form up to the server with one of the parameters being
the selected price. The system would then go ahead and book the reservation
with that price. See anything wrong here? It didn't take long for some users
to discover they could save the form to disk, edit the price, then post the
form up to the server and get whatever price they wanted. Talk about "name
your price"; this sure beats Priceline!
I'm not making this up. This is a real world example.
These are the sort of "security breaches" we will see with web services --
the same security breaches we are seeing today with web apps. It is not the
technology that is at fault, here.
And even if SOAP is abandoned and everyone is writing REST-ful web services,
what about that will ensure some naive developer doesn't write an
application that accepts an XML document that is PUT to a unique URI, and
trusts the content and invokes business logic with it without sound
verifications letting some malicious user name their price for goods?
Whatever REST contributes to security, here, it is a drop in the bucket.
I've heard some pretty compelling arguments in favor of REST. But based on
what I've seen in the real world, I think the argument that REST leads to
more secure apps is the weakest, least-compelling argument. Properly
allowing a firewall administrator to control access to services makes
obvious sense; but this goes nowhere near far enough to providing the level
of security really needed for web services. I think the focus of criticism
on SOAP is just fostering misconceptions and confusion regarding the real
issues of security with web apps.
I think the discussion of REST is healthy and useful. It's changed my mind
about a number of things. I also think it is good to analyze SOAP and
consider if this is the right way to do things. I'm sold on the idea that
there should be visibility to the firewall. I don't think, though, that the
discussions regarding SOAP and security are highlighting the real issues
that will lead to security breaches, and those issues are the same ones that
are leading to security breaches today.
Those things are:
1) Naive developers writing apps that trust the information they get over
2) Naive developers thinking that if they don't advertise their web service,
the hackers won't find it.
3) Naive developers trusting that no one is listening in on the
4) Vendors focusing on features and time to market, but ignoring security
concerns because that's not what will ultimately sell the product.
5) Vendors selling snake oil that purports to solve your security problems
6) People thinking a firewall = security.
These are just off the top of my head. But based on my experience, these are
the things that are causing real problems with security today, and I fully
expect this to continue with web services.
I think it is fair to take the vendors to task. But I think there is too
much indictment of SOAP itself based on certain vendors' tools and marketing
hype, and that is not helping the credibility of the criticisms of SOAP
among technical folk.