Web Services, Web 2.0 & SOA - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Web Services, Web 2.0 & SOA


Keep Web Services on a Diet



 By: Peter Coffee
2005-02-07
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Web Services, Web 2.0 & SOA story.


Rate This Article:
Poor Best
Opinion: Use affirmative APIs and content-analysis tools to make sure they're eating right.

Nobel Prize winner Robert Solow once warned of the hazards of oversimplification, saying that one could call it the occupational hazard of being an economist—except that it was actually the occupation.

In the same way, one could say that its the occupation of the Web services developer to make a companys intellectual property available to a wider range of users in a broader variety of ways. Unfortunately, theres no clear boundary between that occupation and the corresponding hazard of doing it too well.

Attacks on Web-based assets are hardest to block when they work by taking "success" too far: when a server gets more hits than it can handle in a simple denial-of-service attack, or when a file access method turns out to be more general-case than intended.

Resource Library:
Moreover, we quickly put ourselves into a domain of diminishing returns when we try to define, ever more precisely, the things that we wont permit to a human user or a client application. We might call this the Kerr effect, in honor of the late Jean Kerr, author of "Please Dont Eat the Daisies"—a book whose name came from the hard-learned lesson that a rule-based approach to regulating behavior will never get to the last necessary rule.

"I had a dinner party and told the twins and Christopher not to go in the living room, not to use the guest towels in the bathroom, and not to leave the bicycles on the front step. However, I neglected to tell them not to eat the daisies on the dining-room table. This was a serious omission, as I discovered when I came upon my centerpiece—a charming three-point arrangement of green stems," Kerr ruefully reported to her readers.

Customer-facing systems must be designed to doubt. Click here to read more.

My wary appreciation of the Kerr effect explains, I suspect, many of my preferences when it comes to software and system security. I favor the Java and .Net approach, for example, of stating specifically what privileges a piece of code enjoys, and which resources its allowed to engage, rather than trying to envision every "thou shalt not" that needs to be stated to keep anyone from using my code to eat my daisies.

We see another approach along these lines in the content management technologies described in this mornings story by eWEEKs Dennis Fisher, who describes new tools for content analysis and event recognition to safeguard valuable files against unauthorized use or transfer. The determined will still find ways to get past such systems, for example using tools of steganography, and security professionals must stay abreast of these techniques—but bread-and-butter enterprise developers can at least lock more doors against accidental or opportunistic leaks.

We dont want to find ourselves following Jean Kerrs path toward ever-more-explicit prohibitions. "Christopher gets up ahead of the rest of us on Sunday mornings, and he has long since been given a list of clear directives: Dont wake the baby, Dont go outside in your pajamas, Dont eat cookies before breakfast. But I never told him, Dont make flour paste and glue together all the pages of the magazine section of the Sunday Times. Now I tell him, of course," she reported. We can write rules and invoke APIs forever—Im pretty sure thats a literal and formally provable statement—and still not prevent every possible exploit of the loopholes that will remain.

The affirmative approach, "This is what youre allowed to do," and the exception-detecting approach, "This would be odd and should be reported if it happens," seem to me a much more attractive set of strategies.

Tell me what rules you didnt realize you needed, until they were broken, at peter_coffee@ziffdavis.com

Check out eWEEK.coms for the latest news, reviews and analysis in Web services.



  Reader Comments: Keep Web Services on a Diet
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Web Services, Web 2.0 & SOA Articles          >>> More By Peter Coffee
 


x}r8qռFsvg]mG-9ƶoN!c䐔meμgy 7]hɗ8["w~vv I sǘYNӡGoMzI|ݻ@@iZNU rJ e>HwW7ncR;^> \?g#Q;Y|}^~lv .pѲ ⌲Qm/5xyK`nZN<QCѺ8QQw,8$a}#$B g*Nuol Q6RTR/F8wd| #|=xa/ w-}~@3ZUX'[vB1BE8 u#A%;_q@ؓ:IuhmUb'Өbb#8Q^ݡc9LN\^@ZSӂ螩[{mɧ9u]kԏ ZT$ny8D7l2XpaRb5#Ϟ~b>4 .ܪa?WuomzVuoƞ327 p%X䈍YR0wC'&>dСģZr ˺7heo6 usҾVUBXW╻iΝoDU3fXk]{UMSE2GqX}m)9x] >LyES<_>3i^_`d}#1UJ Z. $_'6tt<_MBn $>:GFI/jj/4E; Kpf1S$XI#F/XTUGb9jzMҺ赮.鵎Oڭ$oIJ1<JEӀH ZvBo!W%uٹi>[]$#t:+?f'_ZUկ7#?~j[dP{pHji_Rs?#1>_$.?IN±,7{M0o-Yn]H.ޕ|T|Y|ěy#0ri4(߆Aw[ AVtBm&T7o`H2 4 .fm-w z a6Z@Lt\ aǘش 6,%hJqOd$e $}ВYtBFͨ0 .)J""xV3 E9ԑ>BBp4CZC>O=Sjimvi|Q}ѦޡR?5}81 @ LNa 8+wGݺzNnXŞ* R߭}0CA 6]LR}l;>tPhR0<sx7LnM)σ5HˋF` VPC9N@̧P}MrAݛS9[ݴiǀxԘ ).aHd˕F ] #RRP$C]Pv9B B!\0 HV(V􎄰R1iJLO:Tt{B#;}T/΍5aGe-n^ $ d3CCdq8ZLboD6], S mo-Muc{XT5m\O4MhFЄ%Gn]ּG32H`w?f!1q WQeNAsǞs,4ğN']ǺdmA 9c߃ 兏u5dujISӆNH|Ehs 2!jĹæ笳Z&5\'ސN86h;Ͱ&QUN?>yBOL\naDP$W:O̗HږiES}77BgsݐC/2$\^&VAB1 6d:l';oW fnR>=Mr=""ǰ]_7n>DL)^HIbЙj!@)z٧l.3-D֒ebum"$lJ=Ҵ.Z*X!d[}aa6E]QZRKPD@BR) ŠiY^`(ytMLТ~҆}}Ssm /U OLXZ:Z^Ϛa+ L 24 0C~0-j(6 /gXSq;hzE>wM|P93?Q,C,8c4)L>Aװ HZU{)u&\$0e\8V,'Ё*8t5u{qq;[ZvOZŽtѐzg/h擫Vp ;Dzۃh2f ÑiHuߴIF̫%eXȏE}T5F<1D ȸla,ri L*gXs>Qidݞ0RKܴg& 'zQ8e'o秺 ؑGaŅ^ۨal+ 5o`"12l3u&/ztwE% i4Q,(J9Aw)` L] Ty{0$t`m\>(epF,`^|<> B KG"Z``EsǖYCǖbT۔Ђ|P*7i~Ò?DBCizi}~هF9C!_%PPo?EjPƆVVR尨V*oV ()3K0ƾ3T/Nܟ{o{䳲ߧה{`3TxK}`x䣋2,*`Ȳ|˘/ մv2J9fKӥ ,C 4i 0X[ ⚪T}ffW{)|h#R @ ` Kx{ZCAk2۩\Gw]܁c2P>H(TXg7cME]ac6U{zn&)ZMMe;4 OcIۛ'or2-rfF酛L+30j(Yk|[` rfVȵ>tNd_&F}G ϣGjZ)1/ HDO"K>uKlg`̦`p. (w̕0_m-&o# d&.ōfπiLdž2m}  m_/ `E'8wD1$5ۭ>,!y~j~9p驔rgPWtq͡/3ONQXx}[ҧw4A̘5YTRBW}X`" ]1*&jخOlGe7UY Q?PGІ˔[ā3Wf4$ڎbVpDMb? h)렙tCȪVW%uZU ՂV'sfٞE(FߍCeRԣo{{kC4g?"XWP)~3ȔɹT.jZl[)Uʹwc"aqC` H\WK{dQ"Y @rrjT + ePxp|{W !&6ǷWXOdK!MWF@"'! M+3,`jBU\ό&нݽ]VUv&&BP`&[w,OɪO@T #N;?J)hlsѓNxŹg/;vݹ8 "hCrj?Eyjɽcq >"/!UˇWM}xgi\[dzLR(!I1>`d˙]=-bo/fta Nza嵀 _9zsq}!}9\x}ђ:'s5B DH䄬W!zZfS L k3d8)(hdqHá;|0M ဏQJh 鳁VKu^c'`|xr'|xj}yUi^;GNĶ;S f#m{'M{q?I8t2Ti\'3XrwѺB ~ݾM5g[f1rfwio=|] {~ ]ݣPIݣ뻻~=Ғ(r]ZD ܎qw5Q{qI9.xu?,r`\TzH^8Xڽ]cg[D:*pc޸O>d3j3WF Im{>DrPX`%;({$חas;YgwQ^=71$Ϯ* vjvwgl܂ ו(Fx S9x'Cq$Oe0aXB1B1sA8MBIb9|q Zς2 @>uBݳh2Pq <\9) +]1?(VBQHT(b֧[" */U㦒',V bgL$Gz\:3o5zݾaӐԢRh'}0H o/%WA/_OQAM)\I-{"{4JEE:>VH“ T*j%``b^!0a8{" DB|h 1#)a01HKESv h0XKԀ=oF31.a"wx|UP}7͔%Eԍph֐+8`xt5Rۖz%eN1dӪVV,cvATkmz>TE阩?KڋӺ_f7;ێ&P;q`DXЖ%5tTTP7b>ǰVئo`++nB!)Ǟ%y՟s$X Jyٮ82ssss; x#|~?:u.3DHm̐.a {<_9EE}6Y}@;c}+ (H~Q7!%<ڢp4}1*]!KaFs3KK7'& aũczyNDe6? IʟR8S)]OmxRh5иQV6|""'>>I=4r\g@Z@mHfns̚X*Drp@TjHG>܆bXs~ j&]2<*F"T@$1Cχ{ZOxyCz6(3_A-UH޲,sL!}1lâ0$l{=(\! ِJ(r{tIh-s{z<IG@*?Xe)}e[#*lf[ U/Me9 6i!='>Jt4Aq#B֍kR?WԴ1iZ`̉7-W!7VYH}ïZ'X/`@z#q]v ߫ /يԗ}mӒ:KMӰݘeIc'x[ E~-+GWZgQ%<\u>iǯk%\חW۹xA9ҽV mr]$8ş /z[+W{gPGon zX|݅P!jf5 N:e6I{M_ro&`:ljVVgEQvZ򝧻.L [~GԹKfdk|/Mga{c ~u2oO@85kQ/NI7D(&wGPEX2̭,zdf+oü5Ȁz.@;p @{rMuLEu~x^,6'36g0ɗy`,'I~O:XV^4bd= Dw߁\<9C1"|ZXہbTbtq"wo(R=XPq})6:Ӣ=x5x ךE iH :[ "K:Ay3Mukia̰1fSYhMf!cb9je_]͹OQ. ]ZˣXuZ.{<&f@]&ޠ"r\餷 G]#DVtpU) &` /~Ũt_IM13X50~fDZa%v̈́󄾋7Zz%57:Qs773٢R_ݱ*aG2(n-)RjXY{>ITnp=jhD:ݤHdiYP)ϡVPJj\=tC=]d ЧәnL&:/0۱px&-Rý,&HPjߚcLJʞu9busΩ}?5r1c v%';3,&Yqoͳ.04&tNNu[M}@& A"th|G,%F̯~%|#+#oDis\X>]#> 1xAna`UԓFGĥ)׀!ςxBWH7˽}H['鍀I+62sjlo /u\o]Z3rѺzU=< 嵉DGXTܜțF>@E4;~⺁OI<R3g Osˮĉnтֽ?g.7L }C4 l  \ZS4eTo}A~b ̀ lZY!F(ЄG#eMNZfE< ,i Oh 5" c( n#B s43DÌ05c1;m:xB=ӾdlUoݐ%P`qT|8snj򽉁{:ςlQغ9P+bzh,.69ju{(ڽ0%lyї51o(6񏉓Fyvllŵ6vg5^Lˢ%ǎ!u„7^V CptYmn8~(hOvqt.ZzhR3 dzP!(% ʯ֗7R(d#֗7VF1/?d=}FO۹i{}yпvF?Ӿ(3fY|v9gggssyρ>3<>G/2 ?eBiFߠoP~Q{1?sw1'? ɐ/@q _fsA?]7c]7c=^X_c}}OY0Ok(*Πkh:k K:ICP%.Np2KQ /ޯ?e$|3YY zvAeX^f\12௛ednldҾ<4 aqʍz^Syښꦵpۭ]nX_KG{1*,xW& s hxVydb bye?VPw;]CҤ]j. {%])r-XѧZ}5_9p=U2̱C{":KQUޜb>s2 'ţ,I;H_5A'ԊRlOApt_Ew9[MAw0[`\/ydֺWWVWlNAm(O9y}³2پGh ߊD,y e%HI_1σO7m0ه^V՟p3nze&HqֿlolZ+O>j*85ߜ:H4wl߽RK$A^,޻O1D Xj&m\ŠMCao/aKZö,wz:se8@R4ǭair0nA8h-xq1mJ)TIb|3S7rɄHτ[W騿2SR%u 5iu=_mfoaV'ֆ*V<;BN/ɱF.yyBҗh`pb)WO~YFD`iEO潽]z"0~."6vI|e @ {SVݎΆa5vi`I1p"+*&|6bRez0$YLAƊr2&OFdu#+ҍ 1r*v_Sٲ7xq1MۀZO4mc6H[mgrnCk?}eW΅xOx\ Hv<M"#Ks!d b0Oty'Oqlg+0MD+fAl!&̴gB܎ ='ݹfSHL#dOʗ[lr| {ቒ$z &o:/s؍34JgX+.Ġ/>'G4WB)DAm{'e켟˖;7) m+#8C<ԸmQ޺%pm.a;+CO1֪m,gU|{ ˫#3қ![ 8=_vs[>/'_zQ[`KL- `zMeF@iZ:H\*,lf  ΋?Z/9qgSg _((U@Dq'˫Pyml< ^|:yKW]Q[ 0w6L%/#ZDC`Wpۂ{Xi[eRpCV)tO˞ĵ݋BVx3AEk,^reXѽdג?ΐ]PjãHƸӭ[ qy6`;Щ1D\Nգ˶)E9bM9QmQ--N?X71Ȟ|NtψnH\SQa[_fk8ill,eLW`YX&5IV3/O CׅѰ0K;,lyEG%RXRNCb 0A c:`Β 1>,G)h<˜4W6QĶqynұ˱Y)>evy:U9u, j׺W6x/yc|>[zD5bb&(=zLk|XKc&%ı`=b^8qe QS|/eY1w1LX+0W_kAsDeUTtBYEL`;X+NJy9폭*R$L0MÄr"+poq-y[әH pꧼ8g0N^XpTT/D4;NB}aEt1GǩW.rWb%P|Zk'oYI'4gxH%D=C= ɳaFK+O(QF~;XQ|9\`g`^z8)-9EKB\5[i B";wh6񞞝?`*XE l⍿#0146]ӨZY$IL#[ob[b$- U.ɾR6vᷮ QB6lS2u̹D/4^JB\qrHէr0>_֌VMӝ/2a-dc{͵N_ n<+