For many systems it seems that security is an afterthought, and that's the case also for the REST API. It is using SSL, but it's having several weakness points including username/password for system<->system communications, no transaction verification, etc. He has also written a utilities that are freely available on github that can be used to test different implementations of the REST API. He has used it to uncover several bugs that may give permissions to do operations without having the needed credentials.
For more info, check out episode 98 of Cloud Virtualization Security Roundtable.