The Internet has become a core part of how “business as usual” is conducted around the world. Websites have become essential to businesses’ market and customer service strategy, making the ability to quickly and efficiently access the data stored there an important factor in an organization’s ability to operate, remain profitable, and retain customers.
Application Programming Interfaces (APIs) are designed to increase the efficiency of automated interactions with web resources. By providing a way to bypass web pages and access the data behind them and a clear format for these requests, APIs streamline the process by which programs can communicate. This enables bulk data access on webpages and the automation of repetitive tasks.
When developing an API, it’s important to consider API security. The two API standards (REST and SOAP) have significant differences, and understanding these differences is important to making the correct choice for your particular use case.
API Overview
Application Programming Interfaces (APIs) are designed to make it easier to automate access to web resources. Enabling this makes life easier for everyone since it enables bulk data access without negatively impacting the accessibility of the site for traditional users (since APIs can point to a completely separate server).
When implementing an API, developers have two main options:
Representational State Transfer (REST)
Representational State Transfer (REST) APIs are designed to be the simpler of the two options to use. They take advantage of easy-to-use protocols for data transfer and storage, reducing the load on the programmer implementing the system.
For API requests, REST employs the Hypertext Transfer Protocol (HTTP) that is designed and used to implement web pages. Just like the modern web uses TLS and HTTPS to improve security and authentication for websites, REST uses them to help protect its requests.
The use of HTTP packets for requests (which contain all of the necessary information) allows REST to be stateless and does not require repackaging of request data, making it faster and easier to use. At the data level, REST uses the JavaScript Object Notation (JSON) standard to organize the contents of its requests. JSON is widely used and easy to build and read, making it a good choice for web APIs.
Simple Object Access Protocol (SOAP)
The Simple Object Access Protocol (SOAP) is an Extensible Markup Language (XML)-based competitor to REST. SOAP is a more complicated protocol to use than REST but has the advantages of increased security and built-in error handling for requests (REST has to resend any requests that hit an error).
An important differentiator for SOAP-based APIs in the security arena is the fact that they have a built-in security protocol called Web Services Security (WS Security). This protocol uses XML encryption and signatures and SAML tokens to provide authentication for requests. It also incorporates recommendations from the Organization for the Advancement of Structured Information Standards (OASIS) and the World Wide Web Consortium (W3C).
The major downside of SOAP is its increased complexity compared to a REST API. The additional security standards built into REST have their associated overhead, and SOAP’s envelope-based style of payload transportation requires additional data repackaging and routing. As a result, it’s easier to mess up a SOAP API in a way that could negatively impact usability or security.
How REST and SOAP Security Differ
From a cybersecurity standpoint, the choice between REST and SOAP is one between security and complexity. SOAP is widely regarded as the more secure platform.
It has built-in support for Web Services Security (WS Security) protocols that are designed to provide confidentiality and authentication protections to the data being transmitted and the users at each end of the connection.
It also uses XML encryption, XML signatures, and SAML tokens to help ensure that only authorized parties have access to sensitive data. In general, when processing sensitive data, SOAP is the better choice.
However, SOAP is also the more complex of the two protocols to implement. REST uses JSON, which is easy to parse, for data storage and HTTP(S) requests for moving data around. This makes the system much easier to implement and decreases the probability of a mistake.
When dealing with non-sensitive data, REST is probably the easier choice, especially if you don’t have access to an expert on implementing secure SOAP APIs.
Securing Your API
The choice between REST and SOAP as an API mainly depends on the data being processed and transmitted via the API. SOAP is more secure but also more complex, meaning that it is the best choice mainly when the sensitivity of the data requires it.
REST is easier to implement for APIs requiring less security, decreasing the probability of a mistake introducing an exploitable vulnerability.
After implementing an API, it’s also important to properly protect it. APIs are designed to provide programmatic access to an organization’s web services, making them a prime target for hackers. When implementing an API with access to sensitive data, protecting it with a Web Application Firewall (WAF) is a good idea.
APIs are prone to injection and MitM attacks designed to gain unauthorized access or intercept sensitive data. A good WAF has the ability to identify and block these attacks, protecting your API from attack.