Can Web Services Be Secure?
Filed in archive Security by jason on November 17, 2005
When I say large I mean 5 -- 10 MB in size large. I learned right away why a developer uses SAX instead of DOM. This became very obvious to me when the development server I was using started hanging because of "OUT OF MEMORY" errors. Those errors led me to stop using DOM. However, there were times when using SAX when I would get the same type of errors because of a very large data element
or attribute being passed to the application. This was solved because I had the ability to control the client in question and force it to validate against a schema before calling my batch program on the server side. With Web Services how does a developer protect an application from a DOS attack? A malicious user that can call a Web Service over the Internet could easily submit a bogus SOAP request to that Web Service. Inside that request could be an element or attribute that is megabytes in size. If a number of these types of requests were to happen I would assume that a server could easily be hung. I've heard that "XML Aware" hardware exists that could stop such an attack but how many organizations, especially small businesses, use these types of devices? I would assume that this concern has been addressed in some way since Web Services have become so prolific but I don't hear much about it. Is this a real threat that just hasn't been exploited or am I overly concerned about nothing? I'm not sure what the answer is but when I work on projects that require Web Services on the Internet I do it with caution.
Permalink: Can Web Services Be Secure?
Tags:
web services
Trackback: http://www.creative-weblogging.com/cgi-bin/mt-tb.pl/11209
