课程: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

SOAP and REST

课程: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

开始一个月试用 购买团队方案

SOAP and REST

- [Narrator] Application programming interfaces are the most popular way to integrate systems and interact with web services. An application programming interface, or an API, is a set of exposed interfaces that allow programmatic interaction between services. For example, Amazon Web Services publishes an API that allows developers to provision computing resources, maintain their cloud environment, and perform other administrative actions. Twitter also publishes an API that allows users to post Tweets, search through other users' Tweets, and perform the same interactions with the Twitter service that they would normally perform through the website in an automated way. This API allows anyone to write code that interacts with Twitter or use applications built by other developers that leverage the Twitter API. The earliest APIs made use of a standard called the Simple Object Access Protocol, or SOAP. SOAP allows the exchange of service information using an XML format. It was the common standard for many years, but it has since been surpassed in popularity. Modern APIs mostly use a standard called representational state transfer, or REST. REST uses the same HTTPS protocol used for web communications to offer API endpoints that other code may interact with. This makes restful APIs quite accessible and it's resulted in their overwhelming popularity. As a security professional, you should be familiar with the API technology used in your organization, both by developers publishing services and users consuming them. There are two primary considerations when looking at API security. First, you should make sure that all communications between clients and servers are encrypted. When APIs are run over web services, this is as simple as enforcing the use of the encrypted HTTPS protocol instead of the unencrypted and insecure HTTP protocol. Second, if API access is limited to authorized users, you need to make sure that API keys are being used to limit this access and that the storage, distribution, and transmission of those keys is done in a secure fashion. Anyone who gains access to another user's API key can essentially become that user as far as the service is concerned.

内容