http://blogs.msdn.com/b/vbertocci/archive/2005/04/25/end-to-end-security-or-why-you-shouldn-t-drive-your-motorcycle-naked.aspx
Who wears a motorcycle helmet indoors? Just because it's a simple analogy doesn't mean it's right.
This is still rampant frameworkitis. HTTPS isn't good enough! What happens if something is done after the message reaches it's point?
Oh, you mean the fucking ENDpoint?
99% of SOAP bloat systems (aka, licensed application servers configured and installed by consultants) IMMEDIATELY deserialize a SOAP message to a datastructure, and from there that data structure will be mangled by database call or MQ message or whatever.
Notice the uselessness of message signing. It's a false security blanket sold to stupid fucking executives. The data will be plaintext in a host of different settings post-parse: SQL requests, followup messages. That requires either good internal data practices or specifically tailored security architecture.
READ: less than 1% of cases, and outside the concerns of SOAP, which is a messaging protocol, not a transport protocol.
It's frameworkitis and enterprisy. Let's add a bunch of stuff that isn't the concern, bloat, bloat, bloat, million dollar license, buy a ferrari.
Fucking software companies.
No comments:
Post a Comment