How can secure a REST web service?

Question

I am studying for the Spring core certification and I have some doubts related how REST web service and I am studying it to apply to Spring framework.

So I have some doubt related to this question founded on my study material but I can't find an answer.

So the questions are (I don't know it these questiona are related each other):

1. Is REST secure? What can you do to secure it?

2. Does REST work with transport layer security (TLS)?

I have understand how a REST webservice works and I know that it use the Http method to access resources and implement CRUD operation but what means asking if REST is secure? What is meant by secure in this specific case?

And what exactly is a TSL in REST?

Answer 1

1. Is REST secure? What can you do to secure it?

REST is a paradigm. It's not a finished protocol or an implementation. There are mechanisms to secure RESTful webservices (one would be TLS), but by default REST doesn't say anything about it.

The OWASP gives a good overview over REST security topics and how to secure a RESTful webservice:

• https://www.owasp.org/index.php/REST_Security_Cheat_Sheet

What is security?:

Please note that there are different security objectives in information security:

• confidentiality
• integrity
• availability

All would need different security measures. Some can not be handled by the webservice (REST) alone. (e.g. availability would mean that the server itself is secured and you have security measure agains dDoS attacks.)

It's not really well defined what REST is in detail, it's not a official standard or a specification. I would say that REST per se is not secure. There are mechanisms you can build around it to secure it (like TLS, token authentication). Many of these measure have nothing to do with REST directly.

2. Does REST work with transport layer security (TLS)?

Yes. Transport Layer Security can encrypt the communication to a RESTful Webservice and authenticate the server to a client. (confidentiality and to some extend integrity)

Answer 2

1. It depends. Security is about tradeoffs, not a simple yes/no question. REST is not inherently secure or insecure; it depends on how you implement it. One example is SQL injection attacks: the use of REST has no bearing on whether the system prevents them. Another example is authorizing access: REST does not inherently limit access to the resources it exposes. If you need a guarantee that those resources can only be accessed locally, using REST will make it harder to ensure that.

2. Generally yes. Off-the-shelf servers support TLS, but a completely written-from-scratch program using REST to communicate might not implement TLS code (this is a rather unrealistic scenario, but I'm including it for the sake of completeness).