Cart
[Home] [By Thread] [By Date] [Recent Entries]
> -----Original Message----- > From: Mike Champion [mailto:mc@x...] > Sent: Tuesday, February 19, 2002 7:23 PM > To: xml-dev@l... > Subject: SOAP-RPC and REST and security > > > One more issue on RPC vs REST -- security. > > I'm not sure this is a differentiator, but consider this section of > http://www.counterpane.com/crypto-gram-0202.html#2 > > "And one of the simplest, strongest, and safest models is to > enforce a rigid separation > of data and code. The commingling of data and code is > responsible for a great many > security problems... Ahhh I see, so he has a problem with the Von Neumann architecture? I wonder what kind of machine he uses at home then. :) > One could surely argue that REST *does* rigidly separate code > from data, and I can't see > offhand how a Melissa-esque worm could spread via a REST web > service. Melissa was an email worm that spread by having people open a word document with a macro in it. I fail to see what Melissa has to do with web services (or worms for that matter). > So, what's the current thinking about SOAP-RPC as a security > risk in *plausible* > scenarios where business services are exposed via SOAP? And > is it generally accepted > that a REST-ful worm couldn't happen, or is this wishful > thinking on my part? I fail to see how REST prevents worms from occuring. Most of the major web worms have spread by exploiting buffer overflow bugs in server software. I fail to see how REST suddenly magicks that away. -- THINGS TO DO IF I BECOME AN EVIL OVERLORD #34 I will not turn into a snake. It never helps.
|
