Asking for the elimination of SOAP is silly. SOAP is just a set of XML requests and responses carried through HTTP. I can set up an html form and ask a user to cut and paste an XML document into a text window and upload it via a submit button. I can form a response and return it as an XML document. All this over HTTP. Eliminate CGI!

As always, applications have to be scrutinized for bad or dangerous behavior. Not easy. SOAP adds little more complexity than already exists. A SOAP RPC call to update the database is not much different than a cgi form to update the database. SOAP adds another thing for a security analyst to look at (which does increase the complexity of their job a bit), but that's life.

As for the other measures proposed, I'm not sure they are all very practical. Many of the proposals enable the possibility of a more secure system. But in the ends of an inexperienced end user I don't think you are much farther ahead. The biggest challenge is getting the trade off between usability and security just right.

Time will tell if MS will live up to their promises. Even though I can bash MS as much as anybody, I believe they are serious and will make security a priority, and that you will see better product out the door. Give it some time before judging them however. Only new projects being initiated now or in the near future will have the full benefit of the security edict, and they will take time to hit the streets.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/315/10194#10194