Are REST APIs Inherently Insecure?
by
Join the DZone community and get the full member experience.
Join For FreeREST
security is a hot topic. One of the reasons for this is the continued
blowback from the over-complexity of the WS-* specifications. These
specifications, including WS-Security, WS-Trust, and
WS-ReliableMessaging, and were notorious for being difficult to
comprehend. In fact, people wrote whole books about Web Services Security :-)
. One of the benefits of REST is simplicity. But, on the flipside, the
lack of standards for security has led to the proliferation of ad-hoc
security approaches such as the use of API Keys. API Keys are frequently
used for API "authentication" often without much regard for potential
attacks such as replay attacks.
But, by using an API Gateway approach, is it possible to layer on security for REST APIs? Could they (shock, horror) co-exist with heavyweight WS-* style SOAP web services? I'll be talking about this topic in my talk on "Are REST APIs Inherently Insecure" at the ISC2 Security Congress in October in Atlanta . Hope to see you there?
But, by using an API Gateway approach, is it possible to layer on security for REST APIs? Could they (shock, horror) co-exist with heavyweight WS-* style SOAP web services? I'll be talking about this topic in my talk on "Are REST APIs Inherently Insecure" at the ISC2 Security Congress in October in Atlanta . Hope to see you there?
REST
Web Protocols
Published at DZone with permission of Mark O'Neill, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments