xml-dev - RE: [xml-dev] SOAP-RPC and REST and security

RE: [xml-dev] SOAP-RPC and REST and security

[ Lists Home | Date Index | Thread Index ]

To: <francis@redrice.com>
Subject: RE: [xml-dev] SOAP-RPC and REST and security
From: "Uther, James" <James.Uther@F-Secure.com>
Date: Thu, 21 Feb 2002 15:29:57 +0200
Cc: <xml-dev@lists.xml.org>
Thread-index: AcG6xu9vD8nPPCjyRe+flCwG+UynKgAFC1+A
Thread-topic: [xml-dev] SOAP-RPC and REST and security

>From: Francis Norton [mailto:francis@redrice.com]
>> 
>> It's one thing to be against clients remotely executing code on a server
>> and another to scapegoat SOAP in an ill-conceived attempt to garner
>> negative press towards a misunderstood technology. 
>> 
>> After all, buffer overflows are possible in all web applications written
>> in unsafe languages. Whether they use SOAP or not is inconsequential. 
>
>I would suggest that one of the security advantages of Web 
>Services is that you can specify the lengths and types of all 
>fields using XML Schema, and that you use a robust third-party 
>component to parse and validate the actual data.
>

How is this different from REST, where an XML document of a specified type
may be POSTed to a URL and parsed there, probably by the same parser? Well,
one difference is that SOAP adds a bunch of complexity with no benefit.
That's never good for security.

james

-- 
James Uther                   www.F-Secure.com
Senior Software Engineer  F-Secure Corporation  

        Securing the Mobile Enterprise

Follow-Ups:
- Re: [xml-dev] SOAP-RPC and REST and security
  - From: Francis Norton <francis@redrice.com>

Prev by Date: Re: [xml-dev] Why make namespaces so complicated?
Next by Date: What is SOAP?
Previous by thread: Re: [xml-dev] SOAP-RPC and REST and security
Next by thread: Re: [xml-dev] SOAP-RPC and REST and security
Index(es):
- Date
- Thread