Secure Coding mailing list archives
Web Services vs. Minimizing Attack Surface
From: gunnar at arctecgroup.net (Gunnar Peterson)
Date: Tue, 15 Aug 2006 09:15:55 -0500
There may be a conflict here depending on the implementation in practice, but not necessarily. SOA and Web Services often aggregate lots of endpoints (enterprise service buses do this for example) into a smaller set of service interfaces. A couple of weeks ago at MetriCon, Pratyusa Manadhata gave a talk on attack surface metrics which decoupled the attack surface into methods, channel, and data the same way Web Services does. (http://1raindrop.typepad.com/1_raindrop/2006/08/metricon_softwa.html) -gp On 8/15/06 3:03 AM, "John Wilander" <johwi at ida.liu.se> wrote:
Hi! The security principle of minimizing your attack surface (Writing Secure Code, 2nd Ed.) is all about minimizing open sockets, rpc endpoints, named pipes etc. that facilitate network communication between applications. Web services and Service Oriented Architecture on the other hand are all about exposing functionality to offer interoperability. Have any of you had discussions on the seemingly obvious conflict between these things? I would be very happy to hear your conclusions and opinions! Regards, John ____________________________ John Wilander, PhD student Computer and Information Sc. Linkoping University, Sweden http://www.ida.liu.se/~johwi _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Current thread:
- Web Services vs. Minimizing Attack Surface John Wilander (Aug 15)
- Web Services vs. Minimizing Attack Surface Gunnar Peterson (Aug 15)
- Web Services vs. Minimizing Attack Surface Nash (Aug 15)
- <Possible follow-ups>
- Web Services vs. Minimizing Attack Surface Holger.Peine at iese.fraunhofer.de (Aug 15)
- Web Services vs. Minimizing Attack Surface Gadi Evron (Aug 15)
- Web Services vs. Minimizing Attack Surface John Wilander (Aug 16)
- Web Services vs. Minimizing Attack Surface mikeiscool (Aug 16)
- Web Services vs. Minimizing Attack Surface Gadi Evron (Aug 16)
- Web Services vs. Minimizing Attack Surface Gunnar Peterson (Aug 16)
- secure integer library Robert C. Seacord (Aug 17)
- secure integer library Pascal Meunier (Aug 17)
- secure integer library Robert C. Seacord (Aug 17)