Bruce Schneier has written, in the latest issue of CRYPTO-GRAM, an analysis of the security of Microsoft's products, touching on .NET and SOAP.

Speaking about SOAP, Schneier says: "It may be that SOAP offers sufficient security mechanisms, proper separation of code and data. However, Microsoft promotes it for its security avoidance."

Saying that SOAP should "be withdrawn", he quotes Microsoft:

According to the Microsoft documentation: "Since SOAP relies on HTTP as the transport mechanism, and most firewalls allow HTTP to pass through, you'll have no problem invoking SOAP endpoints from either side of a firewall." It is exactly this feature-above-security mindset that needs to go.

However, Schneier's comments seem to come from a standpoint of ignorance as to the current state of the development of SOAP, and are perhaps best taken together with his more general reservations about the mixing of data and program code. It certainly seems that his reaction is more to the ill-advised firewall-piercing aspect mentioned in the Microsoft documentation than to any particular aspect of the SOAP specification.

The reminder of the need for attention to security is timely, however.

Related articles:

• Web Services Pitfalls (XML.com)
• SOAP security discussion (XMLhack)