[
Lists Home |
Date Index |
Thread Index
]
>From: Francis Norton [mailto:francis@redrice.com]
>>
>> It's one thing to be against clients remotely executing code on a server
>> and another to scapegoat SOAP in an ill-conceived attempt to garner
>> negative press towards a misunderstood technology.
>>
>> After all, buffer overflows are possible in all web applications written
>> in unsafe languages. Whether they use SOAP or not is inconsequential.
>
>I would suggest that one of the security advantages of Web
>Services is that you can specify the lengths and types of all
>fields using XML Schema, and that you use a robust third-party
>component to parse and validate the actual data.
>
How is this different from REST, where an XML document of a specified type
may be POSTed to a URL and parsed there, probably by the same parser? Well,
one difference is that SOAP adds a bunch of complexity with no benefit.
That's never good for security.
james
--
James Uther www.F-Secure.com
Senior Software Engineer F-Secure Corporation
Securing the Mobile Enterprise
|