[SC-L] Web Services vs. Minimizing Attack Surface

2006-08-15 Thread John Wilander
Hi! The security principle of minimizing your attack surface (Writing Secure Code, 2nd Ed.) is all about minimizing open sockets, rpc endpoints, named pipes etc. that facilitate network communication between applications. Web services and Service Oriented Architecture on the other hand are

Re: [SC-L] Web Services vs. Minimizing Attack Surface

2006-08-15 Thread Nash
Thinking about attackable surface area is a good metaphor, but I think it's breaking down on you. Think about a classic forms-driven (MVC) web application. If it's at all complex, it'll contain a variety of form processing programs that are all interlinked with a complex state-sharing mechanism.

Re: [SC-L] Web Services vs. Minimizing Attack Surface

2006-08-15 Thread Gadi Evron
ou get to play with the code, in some cases anyway.Other than that and the fact the code runs, mostly, locally, there is no difference. The one major different is that with some services, the vulnerability is local as everybody builds their own. The main issue here is that web services allow