There may be a conflict here depending on the implementation in practice, but not necessarily. SOA and Web Services often aggregate lots of endpoints (enterprise service buses do this for example) into a smaller set of service interfaces.
A couple of weeks ago at MetriCon, Pratyusa Manadhata gave a talk on attack surface metrics which decoupled the attack surface into methods, channel, and data the same way Web Services does. (http://1raindrop.typepad.com/1_raindrop/2006/08/metricon_softwa.html) -gp On 8/15/06 3:03 AM, "John Wilander" <[EMAIL PROTECTED]> wrote: > Hi! > > The security principle of minimizing your attack surface (Writing Secure > Code, 2nd Ed.) is all about minimizing open sockets, rpc endpoints, > named pipes etc. that facilitate network communication between > applications. Web services and Service Oriented Architecture on the > other hand are all about exposing functionality to offer interoperability. > Have any of you had discussions on the seemingly obvious conflict > between these things? I would be very happy to hear your conclusions and > opinions! > > Regards, John > > ____________________________ > John Wilander, PhD student > Computer and Information Sc. > Linkoping University, Sweden > http://www.ida.liu.se/~johwi > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
