1) you don't have to run web services over port 80 2) you can run lots of interesting things over port 80 not just web services
3) web services are an incremental improvement over dcom, mq series, and rmi-iiop. I do not see that the IDS and Systems monitoring situation is any worse, since they are weak in these areas as well. 4) the fact that you *can* validate soap envelopes (and body), as opposed to the security services available in the aforementioned technologies, is precisely the point. Web services have a number of interesting ways to deploy security to protect your messages, SAML, WS-Security, WS-Trust, are all improvements over what is available in web services' predecessors for interoperable security services. -gp On 8/16/06 4:22 AM, "John Wilander" <[EMAIL PROTECTED]> wrote: > Thanks for all the replies so far! I would just like to comment on > Holger Peine's and Mike Hines' viewpoints. > > [EMAIL PROTECTED] wrote: >> I don't see a conflict here: A web service (just as any >> network-accessible >> service, no matter whether programmed using sockets, Java RMI, SOAP or >> whatever) is _intended_ to provide some function to the outside world, >> so you have to open _some_ door into your system. The advice about >> minimizing the attack surface is about not opening any doors you don't >> really need (or worse, didn't even intend to open). > > As you say, any kind of system is _intended_ to provide some function. > But security bugs often hide in unintended, undocumented or unknown > functionality. By increasing the attack surface you also increase the > risk of adding unknown functions. > > Mike Hines commented on web services running everything through port 80 > (HTTP) as negating "... any value of firewalls and most likely intrusion > detection systems". Indeed, web services tunnel a lot of functionality > through port 80, effectively hiding it from many system monitoring > defense measures. The security will rely on validating SOAP envelopes > and prevention at the application/run-time system level. It seems to me > like a huge burden. > > Regards, John > > ____________________________ > John Wilander, PhD student > Computer and Information Sc. > Linkoping University, Sweden > http://www.ida.liu.se/~johwi > _______________________________________________ > Secure Coding mailing list (SC-L) > [email protected] > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php _______________________________________________ Secure Coding mailing list (SC-L) [email protected] List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
