Try a little Googling...search for "ws-security" and "soap-security". There is a fair amount of material out there, some informative, some opinionated, and some speculative. Also, check out Bruce Schneier's thoughts at counterpane.com and also the relevant postings at xmlhack.com.
-----Original Message----- From: Jason Renard [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 09, 2002 3:08 AM To: [EMAIL PROTECTED] Subject: [ISSForum] RE: SOAP (Simple Object Access Protocol) I've heard lots of scary stories about SOAP, in particular because it has some form of RPC functionality and doesn't have its own built-in security, but I've not seem much detailing the real risks. After all, with HTTP connections to back-end applications you can do a lot of damage too (especially with some ASP pages or with CGI scripts). I get the feeling that allowing RPC (for example on Unix systems) is a 'system exposure', but I'm wondering whether allowing SOAP is just an 'application exposure' in which case what's the difference between that and parameter-driven CGI scripts? And how about allowing SOAP for the purposes of 'Web services' together with SAML or some other authentication mechanism? I, too, am wary of SOAP but I'd like to try and put the risks in context so any pointers to good reading material would be appreciated! Jason -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup "Free price comparison tool gives you the best prices and cash back!" http://www.bestbuyfinder.com/download.htm _______________________________________________ ISSforum mailing list [EMAIL PROTECTED] ------------------------------------------------------------------------------- This message and any included attachments are from Siemens Medical Solutions Health Services Corporation and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you _______________________________________________ ISSforum mailing list [EMAIL PROTECTED]
