James Clark, Technical Lead of the original XML Working Group, neatly summarizes why defense in depth is mandatory not optional in Web services, be they Rest, SOAP, whatever:
XML is fundamentally not OO: XML is all about separating data from processing, whereas OO is all about combining data and processing. Functional programming is a much better fit for XML: the problem is making it usable by the average programmer, for whom the functional programming mindset is very foreign.
The lack of tooling for secure coding is a real problem, the WS-Security people are ahead here for sure, but there is a lot that needs to be done in all camps. Bottom line: We need a defense in depth security model that composes elements of both the security of the processing state (service security if you will) and the data itself (for example message level security), or as some great American Poets called Pavement put it:
two states
we want two states
north and south
two, two states
forty million daggers ...
two states
we want two states
there's no culture
there's no spies
forty million daggers ...
**************************************************
Upcoming public SOA, Web Services, and XML Security training by Gunnar Peterson, Arctec Group
--- NYC (April 19), Unatek Web Services (May), OWASP App Sec Europe (May), Helsinki (June), DC/Baltimore (July 19).
The lack of security focus is IMHO the achilles heel of XML. Although I haven't looked at the WS-security stuff, I did look at the related encryption and signing standards for XML. No thanks.
As a sort of experiment, I and others wrote XML-X.org which does 3 party payments in XML for a basic web-pased payment system. It works relatively well, but the security side rested heavily on OO-style wrappers for each packet, and then conversion to a later semantic processing engine.
Fundamentally, the promise of XML over some own format is not clear. To create own formats in languages is easier than employing XML parsers, and more controlled and more secure. I sympathise with his comment about the average programmer... but I don't think the average programmer has an easier time with XML than without, if properly supported.
Posted by: Iang | April 09, 2007 at 02:51 PM