$BlogRSDUrl$>
![]() |
Cloud, Digital, SaaS, Enterprise 2.0, Enterprise Software, CIO, Social Media, Mobility, Trends, Markets, Thoughts, Technologies, Outsourcing |
ContactContact Me:sadagopan@gmail.com Linkedin Facebook Twitter Google Profile SearchResources
LabelsonlineArchives
|
Thursday, March 03, 2005Web Services Security - Concerns And AdvancesTony Baer writes,The strengths of SOAP and XML are also their greatest weaknesses. As SOAP uses HTTP, designed to pass through firewalls, SOAP messages could provide attractive vectors for writers of all the evil malware that infects Windows PCs. As XML is wordy and easy to manipulate, it would be easy for hackers to design a payload that is so complex to parse that it could expose service providers denial of service attacks. In all likelihood, there have probably been few if any attacks up until now because the vast worlds of Outlook address books and category killer sites like Amazon or Yahoo present meatier targets for hackers. But as enterprises expose higher value transactions through SOAs and web services, attackers bent on economic destruction could shift their sights. The immediate question is whether the basic building blocks of web services – SOAP and XML – are in their own way just as vulnerable as Windows and Internet Explorer. In Windows and IE, the problems are endemic to the platform; for web services, the vulnerability is the distributed nature of web services, the accessibility of the core building blocks (XML can be read by non-programmers), and the lack of mechanisms, best practices, or standards outside of identification or message authentication. Compounding matters, because web services are standards based, they are well suited for interchangeability. You can replicate, aggregate, or disaggregate service requests or service content. And XML itself is very resource-intensive. XML and SOAP could present inviting targets for hackers. Tony Baer also warns, "sooner or later, hacks and malware will become reality, meaning that service requests are going to have to be vetted for threats far beyond requestor or message integrity". |
Sadagopan's Weblog on Emerging Technologies, Trends,Thoughts, Ideas & Cyberworld |