Enterprise Integration Zone is brought to you in partnership with:

Mark O'Neill is VP Innovation at Axway. Previously, he was CTO and co-founder at Vordel, acquired by Axway in 2012. He is the author of the McGraw-Hill book "Web Services Security" and is frequent speaker at conferences including Java One, the RSA Security Conference, and Oracle Open World. Mark is based on Boston, Massachusetts. Mark is a DZone MVB and is not an employee of DZone and has posted 64 posts at DZone. You can read more from them at their website. View Full User Profile

Are REST APIs Inherently Insecure?

08.15.2014
| 3965 views |
  • submit to reddit
REST security is a hot topic. One of the reasons for this is the continued blowback from the over-complexity of the WS-* specifications. These specifications,  including WS-Security, WS-Trust, and WS-ReliableMessaging, and were notorious for being difficult to comprehend. In fact, people wrote whole books about Web Services Security :-) . One of the benefits of REST is simplicity. But, on the flipside, the lack of standards for security has led to the proliferation of ad-hoc security approaches such as the use of API Keys. API Keys are frequently used for API "authentication" often without much regard for potential attacks such as replay attacks.

But, by using an API Gateway approach, is it possible to layer on security for REST APIs? Could they (shock, horror) co-exist with heavyweight WS-* style SOAP web services? I'll be talking about this topic in my talk on "Are REST APIs Inherently Insecure" at the ISC2 Security Congress in October in Atlanta . Hope to see you there?


Read the original blog entry...

 

Published at DZone with permission of Mark O'neill, author and DZone MVB.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)