ou get to play with the code, in some cases anyway.Other than that and the
fact the code runs, mostly, locally, there is no difference.
The one major different is that with some services, the vulnerability is
local as everybody builds their own.
The main issue here is that web services allow for easy access to the
machine, and for access to many third party and unrelated scripts and
modules that will not be accessible by most other programs, once already
connected.
Gadi.
On Tue, 15 Aug 2006 [EMAIL PROTECTED] wrote:
> > [mailto:[EMAIL PROTECTED] On Behalf Of John Wilander
> > Sent: Dienstag, 15. August 2006 10:03
> > Subject: [SC-L] Web Services vs. Minimizing Attack Surface
> >
> > Hi!
> >
> > The security principle of minimizing your attack surface
> > (Writing Secure
> > Code, 2nd Ed.) is all about minimizing open sockets, rpc endpoints,
> > named pipes etc. that facilitate network communication between
> > applications. Web services and Service Oriented Architecture on the
> > other hand are all about exposing functionality to offer
> > interoperability.
>
> I don't see a conflict here: A web service (just as any
> network-accessible
> service, no matter whether programmed using sockets, Java RMI, SOAP or
> whatever) is _intended_ to provide some function to the outside world,
> so you have to open _some_ door into your system. The advice about
> minimizing the attack surface is about not opening any doors you don't
> really need (or worse, didn't even intend to open).
>
> Another matter is the question of whether it might be easier to
> produce a vulnerability when providing some function in the form of a
> web service as opposed to another technique. One could argue in this
> direction, e.g. because of creating new attack vectors such as XML
> injection, or helping the attacker by providing the WSDL. But again,
> this does not make web services incompatible with the principle of
> minimal attack surface per se.
>
> Kind regards,
> Holger Peine
>
> --
> Dr. Holger Peine, Security and Safety
> Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany
> Phone +49-631-6800-2134, Fax -1899 (shared)
> PGP key via http://pgp.mit.edu ; fingerprint is 1BFA 30CB E3ED BA99 E7AE
> 2BBB C126 A592 48EA F9F8
>
> _______________________________________________
> Secure Coding mailing list (SC-L)
> SC-L@securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
>
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
