Sunday, February 17, 2008
Bex Huff and John Newton 1 vs James McGovern 0
Awhile back, Bex Huff and John Newton commented on using REST for ECM which I attacked. Today, I have to acknowledge that I didn't give enough credit...
Normally, security-oriented types tend to think of REST approaches as being less secure than SOAP invocations since SOAP allows for the addition of additional security features such as federating identity via SAML and/or WS-Federation, injecting encryption and signing, etc. The funny thing about the world of ECM is that since this domain hasn't came up with a great standards-based way of querying for documents that meet a particular criteria, each vendor has invented their own in, and some have even made security weaker in the process.
In a previous blog entry, I commented on how ECM can be subjected to the equivalent of SQL Injection attacks and even more because the service interface allows for passing SQL grammar directly to the backend. The funny thing is that REST style invocations don't suffer from this problem and may be inheritely more secure than SOAP.
Maybe some ECM folks are more security literate than I have given credit for...
| | View blog reactionsNormally, security-oriented types tend to think of REST approaches as being less secure than SOAP invocations since SOAP allows for the addition of additional security features such as federating identity via SAML and/or WS-Federation, injecting encryption and signing, etc. The funny thing about the world of ECM is that since this domain hasn't came up with a great standards-based way of querying for documents that meet a particular criteria, each vendor has invented their own in, and some have even made security weaker in the process.
In a previous blog entry, I commented on how ECM can be subjected to the equivalent of SQL Injection attacks and even more because the service interface allows for passing SQL grammar directly to the backend. The funny thing is that REST style invocations don't suffer from this problem and may be inheritely more secure than SOAP.
Maybe some ECM folks are more security literate than I have given credit for...
