SOAP frustrations

[Derek Thomson]

Dave Kuhlman wrote:
> Nicolas Chauvat wrote:
> 
> 
>>>Yes. It *is* a security issue. By misusing port 80 for remote procedure
>>>...                                ^^^^^^^^
>>>change the policy. Screwing around with port 80 is going to cause a lot
>>>of ill-will. The first time a SOAP request comes through that runs some
>>>random bit of code that causes some damage, you can fully expect to be
>>>hung out to dry for it.
>>>
>>>Organizations have security policies for a reason. Hacking around them
>>>will *never* end well.
>>
>>[applause]
> 
> 
> I been waiting for someone else to ask this question so that I would not 
> have to show my ignorance.  No such luck.
> 
> What about CGI?  Uses port 80.  Can run "random" bits of code. Powerful 
> enough to destroy servers with a single script.  How is CGI any less of a 
> security threat?  

CGI scripts must be negotiated and vetted before they are installed. 
That is, you must follow the organization's security procedures to get 
one installed. And I know quite a few sysadmins who *do not allow* CGI 
scripts, for obvious reasons. Others allow CGI scripts, but they're 
blocked from contacting any other servers within the firewall. Very wise.

And this is the point. SOAP solves exactly nothing WRT firewalls. You 
will still need to get the proper authorization in a professional manner.

--
D.