Keeping PCs Safe on the Internet

PC Security Journal

Subscribe to PC Security Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get PC Security Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


PC Security Journal Authors: RealWire News Distribution, Denise Dubie, Lacey Thoms, Bob Gourley, Michael Bushong

Related Topics: PC Security Journal, Intel XML, XML Magazine, SOA Best Practices Digest, Security Journal, SOA & WOA Magazine, SOA in the Cloud Expo

Blog Feed Post

The Importance of Threat Protection for RESTful Web Services

RESTful web services are closely aligned to the web

SOA Best Practices Digest

Although certain RESTful web services are of a ‘public’ nature and do not have specific security requirements such as authentication and authorization, any service that has an entry point from an untrusted network is subject to attack and proper threat protection measures are always an essential consideration.

RESTful web services are closely aligned to the web itself and as such inherit all traditional threats from the web. Although network level threats are well understood and addressed by traditional firewall infrastructure, RESTful web services type APIs are also subject to content (or message) level threats.

For example, consider APIs where XML payloads are POSTed and/or PUT from external requesters. A particularly dangerous threat was uncovered last summer involving a vulnerability in most XML parsing libraries used at the time. Any REST web service using those XML parsing libraries could have easily been crippled. In fact, I would expect many deployments out there still using vulnerable versions of those XML parsers today.

Despite fixes applied to parsing libraries to address such vulnerabilities, many potential content-level attacks continue to pose a threat. Consider for example external entity attacks, where a parser is tricked into resolving a resource from a malicious source. Also, SQL injections which were recently at the center of the largest data breach in US history . Many other threats specifically targeting XML enabled services exist such as recursive payloads, schema poisoning and coercive parsing to name a few.

Of course, REST is not bound to XML only. Threat protection for RESTful web services has to potentially consider a number of other content-type specific threats such as for JSON.

Read the original blog entry...

More Stories By Francois Lascelles

As Layer 7’s Chief Architect, Francois Lascelles guides the solutions architecture team and aligns product evolution with field trends. Francois joined Layer 7 in the company’s infancy – contributing as the first developer and designing the foundation of Layer 7’s Gateway technology. Now in a field-facing role, Francois helps enterprise architects apply the latest standards and patterns. Francois is a regular blogger and speaker and is also co-author of Service-Oriented Infrastructure: On-Premise and in the Cloud, published by Prentice Hall. Francois holds a Bachelor of Engineering degree from Ecole Polytechnique de Montreal and a black belt in OAuth. Follow Francois on Twitter: @flascelles