Schneier worried about SOAP security
15:32, 15 Feb 2002 UTC | Edd Dumbill

Bruce Schneier has written, in the latest issue of CRYPTO-GRAM, an analysis of the security of Microsoft's products, touching on .NET and SOAP.

Speaking about SOAP, Schneier says: "It may be that SOAP offers sufficient security mechanisms, proper separation of code and data. However, Microsoft promotes it for its security avoidance."

Saying that SOAP should "be withdrawn", he quotes Microsoft:

According to the Microsoft documentation: "Since SOAP relies on HTTP as the transport mechanism, and most firewalls allow HTTP to pass through, you'll have no problem invoking SOAP endpoints from either side of a firewall." It is exactly this feature-above-security mindset that needs to go.

However, Schneier's comments seem to come from a standpoint of ignorance as to the current state of the development of SOAP, and are perhaps best taken together with his more general reservations about the mixing of data and program code. It certainly seems that his reaction is more to the ill-advised firewall-piercing aspect mentioned in the Microsoft documentation than to any particular aspect of the SOAP specification.

The reminder of the need for attention to security is timely, however.

Related articles:

| See 1 comment

Newest comments

Re: Schneier worried about SOAP security (Christian Geuer-Pollmann - 11:02, 19 Feb 2002)
I think one problem for security people who only have a short look on this technology is the "object ...
xmlhack: developer news from the XML community

Front page | Search | Find XML jobs

Related categories