A friend of mine has made a post to his blog (http://www.illegalexception.com/content.php?id=102) about web services been bad for security. I don't see it that way - I see them as exactly the same as any other web based application or script that's exposed to the Internet and no more insecure.
That's not to say they aren't all insecure in some way, but he's concerned about the security of the client when a web service runs on the server and provides only an XML interface for data exchange.
I can't understand why a virus, trojan, or idiot user would install a webserver, configure a scripting language (Java servlets, PHP, ASP.NET, what have you...) then advertise a web service that will run with fairly limited rights (ie - the rights of the scripting language, which can't be root on *nix and is commonly INET_yourcomputer on Windows).
It would be far easier for a virus to simply down the local firewall then open a port - and it would have more power once it was done.
Web services simply take the human interface out of web applications, allowing an application to directly access one as if it were a local module of code - IE - the amazon web services allow you to search for products on the amazon site, and get back a list of objects in your application.Permalink