Secure Coding mailing list archives

Web Services vs. Minimizing Attack Surface

From: gunnar at arctecgroup.net (Gunnar Peterson)
Date: Wed, 16 Aug 2006 08:08:26 -0500

1) you don't have to run web services over port 80

2) you can run lots of interesting things over port 80 not just web services

3) web services are an incremental improvement over dcom, mq series, and
rmi-iiop. I do not see that the IDS and Systems monitoring situation is any
worse, since they are weak in these areas as well.

4) the fact that you *can* validate soap envelopes (and body), as opposed to
the security services available in the aforementioned technologies, is
precisely the point. Web services have a number of interesting ways to
deploy security to protect your messages, SAML, WS-Security, WS-Trust, are
all improvements over what is available in web services' predecessors for
interoperable security services.

-gp


On 8/16/06 4:22 AM, "John Wilander" <johwi at ida.liu.se> wrote:

Thanks for all the replies so far! I would just like to comment on
Holger Peine's and Mike Hines' viewpoints.

Holger.Peine at iese.fraunhofer.de wrote:

I don't see a conflict here: A web service (just as any
network-accessible
service, no matter whether programmed using sockets, Java RMI, SOAP or
whatever) is _intended_ to provide some function to the outside world,
so you have to open _some_ door into your system. The advice about
minimizing the attack surface is about not opening any doors you don't
really need (or worse, didn't even intend to open).


As you say, any kind of system is _intended_ to provide some function.
But security bugs often hide in unintended, undocumented or unknown
functionality. By increasing the attack surface you also increase the
risk of adding unknown functions.

Mike Hines commented on web services running everything through port 80
(HTTP) as negating "... any value of firewalls and most likely intrusion
detection systems". Indeed, web services tunnel a lot of functionality
through port 80, effectively hiding it from many system monitoring
defense measures. The security will rely on validating SOAP envelopes
and prevention at the application/run-time system level. It seems to me
like a huge burden.

    Regards, John

____________________________
John Wilander, PhD student
Computer and Information Sc.
Linkoping University, Sweden
http://www.ida.liu.se/~johwi
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php

Current thread:

Web Services vs. Minimizing Attack Surface John Wilander (Aug 15)
- Web Services vs. Minimizing Attack Surface Gunnar Peterson (Aug 15)
- Web Services vs. Minimizing Attack Surface Nash (Aug 15)
- <Possible follow-ups>
- Web Services vs. Minimizing Attack Surface Holger.Peine at iese.fraunhofer.de (Aug 15)
  - Web Services vs. Minimizing Attack Surface Gadi Evron (Aug 15)
  - Web Services vs. Minimizing Attack Surface John Wilander (Aug 16)
    - Web Services vs. Minimizing Attack Surface mikeiscool (Aug 16)
    - Web Services vs. Minimizing Attack Surface Gadi Evron (Aug 16)
    - Web Services vs. Minimizing Attack Surface Gunnar Peterson (Aug 16)
    - secure integer library Robert C. Seacord (Aug 17)
    - secure integer library Pascal Meunier (Aug 17)
    - secure integer library Robert C. Seacord (Aug 17)