Came across this choice quote today from Tyler Klose :
Software products that encourage treating security as an “add-on” typically try to characterize security as something that is extraneous to application “business logic”. Such characterizations are misguided. The main point of a web service is to provide controlled access to a service. In a web service, security is your business logic.
Beautiful!
The fact is, your web services need to be designed with security in mind from the ground up. The “you do the business-logic, we will take care of everything else” approach usually doesn’t work. Not only does it not work – it is fundamentally flawed, a contradiction by definition. This is what sane people have been arguing for.
