Update (since this post is linked from multiple places): see this post on REST Threat Models and Attack surface for more ideas on REST current state security options
So the whole REST security thing just gets funnier, the S for Simple folks forget that S also stands for security. Here was a response to my post on the fact that people who say REST is simpler than SOAP with WS-Security conveniently ignore things like, oh message level security:
HTTP Basic or HTTP Digest or SSL (certificate-based) for authentication. SSL for encryption and digital signatures. You know, the way we've been doing things since 1995.
Where to start? Right, it was state of the art in 1995. no bout a doubt it. The world has moved on slightly since then. You know a couple 97 million stolen identities, endless phishing/pharming (growing double digit pct each month), malware taking 60% cpu utilization on consumer desktops. You know little stuff like that
HTTP Basic? The hell you say. Here is a round up of ways to break and/or bypass that. There are only 5 listed however.
Warning of Al Qaeda cyber attack on finance sites
The US government has warned financial services companies of an Al Qaeda call for a cyber attack against online stock trading and banking websites beginning today
Don't worry about that boss, I put HTTP Basic in front of our apps!
SSL? My friend Daniel opined thusly about the wisdom of SSL and REST:
It's nice to run it all over HTTPS, so now the
gigantic hole you made in the firewall will provide some privacy for
me as I dig through your customer's credit card numbers...
You just have to love a point to point security model in a system that last time I checked is supposed to be about interoperability.
Hey boss, where should I put that SSL thingie again?
Now if you are at all serious about putting some security mechanisms in to your REST there are some good examples. One being Amazon's developer tokens using HMAC for authentication at the message level (you know where the data is). But if you are going to say that REST is so much simpler than SOAP then you should compare REST with HMAC, et. al. to the sorts of encryption and signature services WS-Security gives you and then see how much simpler is. And, you know, maybe even see, oh golly gee I don't know, which one protects your customers' data better? Until then, we'll just continue (as Gene Spafford said) using an armored car to deliver between someone living in a cardboard box and someone living on a park bench.