Tuesday, December 18, 2012

REST API security

Special guest in episode 98 is George Reese who is Founder and CTO of enStratus. Topic this time is API security, and especially for the REST API. One of the things that are commonly used for communications between systems in the cloud is the REST API.

For many systems it seems that security is an afterthought, and that's the case also for the REST API. It is using SSL, but it's having several weakness points including username/password for system<->system communications, no transaction verification, etc. He has also written a utilities that are freely available on github that can be used to test different implementations of the REST API. He has used it to uncover several bugs that may give permissions to do operations without having the needed credentials.

For more info, check out episode 98 of Cloud Virtualization Security Roundtable.

Audio: Virtualization Security Roundtable, episode 98