Web Services vs. Minimizing Attack Surface

[gunnar at arctecgroup.net (Gunnar Peterson)]

There may be a conflict here depending on the implementation in practice,
but not necessarily. SOA and Web Services often aggregate lots of endpoints
(enterprise service buses do this for example) into a smaller set of service
interfaces.

A couple of weeks ago at MetriCon, Pratyusa Manadhata gave a talk on attack
surface metrics which decoupled the attack surface into methods, channel,
and data the same way Web Services does.
(http://1raindrop.typepad.com/1_raindrop/2006/08/metricon_softwa.html)

-gp


On 8/15/06 3:03 AM, "John Wilander" <johwi at ida.liu.se> wrote:

> Hi!
>
> The security principle of minimizing your attack surface (Writing Secure
> Code, 2nd Ed.) is all about minimizing open sockets, rpc endpoints,
> named pipes etc. that facilitate network communication between
> applications. Web services and Service Oriented Architecture on the
> other hand are all about exposing functionality to offer interoperability.
>     Have any of you had discussions on the seemingly obvious conflict
> between these things? I would be very happy to hear your conclusions and
> opinions!
>
>     Regards, John
>
> ____________________________
> John Wilander, PhD student
> Computer and Information Sc.
> Linkoping University, Sweden
> http://www.ida.liu.se/~johwi
> _______________________________________________
> Secure Coding mailing list (SC-L)
> SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php