Recently, I’ve been doing a fair amount of work in the SOA area. It’s funny how many folks want to expose ancient code directly to untrusted third parties.
All is not well in the SOA space, and it’s important to understand the risk of web service enabling calls to “trusted” systems. That code is generally not written to handle input from malevolent attackers – it was designed to be called from internal staff who you have a strong legal relationship with and all the motivation in the world to keep their jobs.
This slide pack was intended for the April Melbourne OWASP chapter meeting, and it’s a basic taster of the stuff I’m going to be including in the forthcoming OWASP Guide 3.0.