Security and REST Web Services

Web Services are usually associated with the “triumvirate” of SOAP, WSDL, and UDDI. However, REST Web Services are enjoying increasing popularity, a fact further compounded by the take off of Web 2.0. With sites such as Flickr and Google Maps making “Web Service” features readily available for incorporation into other sites, it makes it very difficult for developers to create locked-down 2.0 applications.

Although the theory surrounding REST (REpresentational State Transfer) is complex, the practice is simple: use long-established Web technologies instead of SOAP. However, the security model for REST is not nearly as highly-developed as the security model for SOAP. REST Web Services tend to use custom security tokens passed on URL query-strings.

This session answers two questions: 1) Are REST Web Services inherently insecure? 2) How can a security model apply to both SOAP and REST Web Services?

High-level agenda:

• What is REST? Getting beyond the complex terminology to the real essence of REST.
• Why is REST so popular when compared to SOAP?
• Can Web Application Security techniques adequately protect REST Web Services?
• Since REST Web Services cannot use WS-Security, does that mean they are insecure?
• What security guidelines can you offer them to developers in your organization who are using REST Web Services?
• How can a security policy apply to both REST and SOAP Web