|
|
|
|
|
|
by lukeschlather
4461 days ago
|
|
|
I've seen SQLi blindly passed from frontend code to a backend service API and then executed. The indirection did help mask the issue so there was no suggestion the attack succeeded or way that it could actually be exploited, but it's perfectly possible to what you describe without actually solving the sanitization problem. SOA is great for scalability, but not really that much of a boon for security (especially since you now have a problem of authentication between your frontend service and your backend service which is often ignored since it's behind the firewall and nobody is going to be snooping.) (Other than the NSA, GHCQ, and China.) |
|
|
But in a service layer you need to get it right once. And therefore if you don't, you have to fix it just once.
And coupling your business logic with your frontend layer suggests spaghetti code and violates DRY, because you typically have many frontends, but one app state.
Security is about focus. If the service coders can focus on the service being secure & fast, frontend guys can focus on the frontend being usable.
Otherwise you're asking everyone to think about everything, and human attention span, memory and skill sets are limited, and this does affect security.