"For years, API... security was not a top priority. Now more companies are offering sensitive, high-value data via APIs, so security is paramount... but sadly lacking." -- Pete Soderling, CEO Stratus Security Technologies.
San Francisco, CA (PRWEB) March 1, 2010
Pete Soderling, CEO and founder of Stratus Security Technologies, and Chris Comerford, lead architect at Stratus Security Technologies and former principal engineer at RSA Security/EMC, are presenting "Why REST Security Doesn't Exist (and what to do about it)" at the RSA Conference 2010 Wednesday, March 3 at 10:40am.
REST (Representational State Transfer) is fast becoming a dominant web service protocol. As of January 2010, 1,100 out of the 1,600 application programming interfaces (APIs) listed on Programmable Web were REST-based. But for many REST-based API, security measures are inadequate, according to Soderling and Comerford.
"The architectural style described by REST is simple, open, scalable and consistent with other Internet protocols, so we're all for it. But the security practices we're seeing are awful and leave large and small companies wide open to attack," said Comerford.
In general, APIs are more vulnerable than web applications because REST does not predefine security methods so developers define their own. Also, developers in a hurry to open their APIs often fail to treat them with the same level of diligence as they treat web applications. Or they use third-party platform services that lack a robust security architecture.
In their session, Comerford and Soderling will outline practices companies can follow to close the holes, including the following:
> Employ the same security mechanisms for your APIs as for any web application your organization deploys. For example, if you are filtering for XSS on the web front-end, do it for your APIs, preferably with the same tools.
> Don't roll your own security. Use a framework or existing library that has been peer-reviewed and tested.
> Unless your API is a free, read-only public API, don't use single key-based authentication. Add a password (i.e. a "secret") requirement.
> Don't pass unencrypted static keys. If you're using HTTP Basic and sending it across the wire, encrypt it.
> Ideally, use hash-based message authentication code (HMAC) because it's the most secure. (Use SHA-2 and up, avoid SHA & MD5 because of vulnerabilities.)
"For years, APIs have delivered free content aimed at building an audience, so security was not a not top priority. Now more companies are offering sensitive, high-value data via APIs, so security is paramount... but sadly lacking in many cases," said Soderling.
Soderling and Comerford will present additional details about REST security at the RSA session and on their blog at http://www.stratusec.com/blog.
The RSA Conference brings together the world's largest community of information security professionals. The event will be held March 1 - 5 at the Moscone Center in San Francisco. For more information about the event, please visit http://www.rsaconference.com.
For more information on "Why REST Security Doesn't Exist (and what to do about it) please contact Stratus Security at http://www.stratusec.com or follow Stratus Security on Twitter at StratusSecurity.