I'm going to develop a Banking application that will send and receive information to mobile devices of bank account holder. I want to use REST api of Spring framework for this purpose. Is there any bank that uses RESTful api for applications?
Does RESTful api provide enough security for this purpose?
Or should I stick to use SOAP web service?
I know, this question is asked several times. But I want to concentrate on feasibility of REST api for Banking domain.
Most banks still use SOAP for integration, but you could find examples of companies like Visa or Paypal which expose their api in a RESTful way.
There is a key difference between using SOAP with WS-Security and a REST api with SSL, thats WS-Security which offers end-to-end security (offers confidentiality and integrity protection from the source of the message to the receiver).
What we are dealing here is security at two different levels: HTTPS applies at the transport layer (which you could apply to REST or SOAP service) and WS-Security applies at the application layer.
But now you could deal with REST using OAuth2, check on how Paypal uses it here.
Another question related: Secure Web Services: REST over HTTPS vs SOAP + WS-Security. Which is better?
Yes, it is as secure (or insecure) as any other method including SOAP. You still have to follow all best practices while writing your application (using https everywhere, encrypting sensitive data, making sure you don't write sensitive data to logs in plain text, and so on). It is best to discuss with the Security team for your bank/company, they'll usually have a set of requirements that you need to follow to secure your application.
From security perspective REST over HTTPS is good enough unless you need end-to-end security or you have compliance limitations.
If your banking mobile application will communicate through any intermediates (this could be NFC, Bluetooth Low Energy enabled POS e.g.) then I would recommend considering end-to-end security depending on risks and sensitivity of the information you are planning to send. Unfortunately there is no end-to-end security mechanism I can recommend for banking app except WS-Security. I had a look at many solutions like JSON Web Encryption (JWE), Javascript Object Signing and Encryption (JOSE), OAuth 1.0 Signature and others. I've found no solution which provides end-to-end security with respect to Integrity, Confidentiality, Authenticity for RESTful web-services out-of-the-box. The reason is that RESTful web-services are assumed to work always over HTTP and thus they will be protected with HTTPS. So if you need end-to-end security it's a good point to think about SOAP and WS-Security.
Another reason to think on WS-Security could be compliance regulations like PCI DSS. Then you can reduce compliance scope with end-to-end encryption of cardholder data. Good example is what Netflix guys did https://youtu.be/sYFDnGjNVrk. So investigate your compliance regulation if you have such before making a decision.
Related
I am fetching Gmail inbox to the web application by using Gmail API. I am using RestAPI to connect with the web application. Everything is working and ready to go live. But the app is rejected by Google and asks for a Security assessment which has around $75K expenses.
As we are only reading messages through API and users are also already permitted to perform the same activity.
My question is, How to avoid Security assessment as we are using restricted and sensitive scope like GMAIL API & PubSub. But without these scopes, we can't fetch the messages.
How to avoid Security assessment? Is there any other way to achieve this requirement?
Looking forward to the community help. It's a major blocker for us to go live.
Thanks in advance.
If you need to use a sensitive or restricted scope, and you are not exempt from verification.
There is no work around to the security assessment.
info from docs.
sensitive-scopes
Apps that request sensitive scopes must verify that they follow Google’s API Services User Data Policy and will not have to undergo an independent, third-party security assessment. This sensitive scopes verification process typically takes 3-5 business days to complete.
Option: don't request a sensitive scope.
https://mail.google.com/ (includes any usage of IMAP, SMTP, and POP3 protocols)
https://www.googleapis.com/auth/gmail.readonly
https://www.googleapis.com/auth/gmail.metadata
https://www.googleapis.com/auth/gmail.modify
https://www.googleapis.com/auth/gmail.insert
https://www.googleapis.com/auth/gmail.compose
https://www.googleapis.com/auth/gmail.settings.basic
https://www.googleapis.com/auth/gmail.settings.sharing
restricted-scopes
Apps that request restricted scopes must also verify that they follow Google’s API Services User Data Policy, but they must also meet the Additional Requirements for Specific Scopes. One of these additional requirements is an independent, third-party security assessment. For this reason, this restricted scopes verification process can potentially take several weeks to complete.
Option: Dont request a restricted scope.
https://mail.google.com/ (includes any usage of IMAP, SMTP, and POP3 protocols)
https://www.googleapis.com/auth/gmail.readonly
https://www.googleapis.com/auth/gmail.metadata
https://www.googleapis.com/auth/gmail.modify
https://www.googleapis.com/auth/gmail.insert
https://www.googleapis.com/auth/gmail.compose
https://www.googleapis.com/auth/gmail.settings.basic
https://www.googleapis.com/auth/gmail.settings.sharing
Exceptions to verification requirements
Could your app be exempt from the verification requirements.
I read the really interesting articles:
http://stytex.de/blog/2016/03/25/jhipster3-microservice-tutorial/
http://stytex.de/blog/2016/09/15/jhipster-3-dot-7-secure-service-communication/
My question is: how can I implement secure service-to-service communication in an application generated using JWT?
I suppose AuthorizedFeignClient annotation is only available for applications generated using OAuth2.
Thanks, Mic
It depends on how strict you see "service-to-service" communication.
Case 1: "authenticated" is enough or you want to forward the user's permissions (authorities, roles...) to the next service
Then you can use #AuthorizedUserFeignClient to enable token forwarding. Here the first microservice act as the user when making requests to the second microservice.
Case 2: request microservice should have different permissions than the user
In certain situations, you want to have different access control rules, when a request is done by a microservice, not user.
This problem is not trivial and one of the core use cases for the OAuth2 way of microservice security.
I am recentlly finding a solution of Web Security, As far as i known the HTTPS will bring more security web, but i found another Security solution of JOSE(JWT&JWE) so i want to known, i use it in the future, can i just use HTTP only but without HTTPS ?
Kris.
Thanks
Your question is legit to me and I am sorry to see that you received downvotes.
As far as i known the HTTPS will bring more security web, but i found another Security solution of JOSE(JWT&JWE)
I think there is a confusion between the both technologies.
JWE is just a format that represents content using JSON based data structures and that provides integrity protection and encryption whereas HTTPS is a secured layer for the HTTP communication protocol.
JWE is not a replacement to the HTTPS protocol.
The use of one technology, the other one or both of them only depends on your application context. HTTPS may not be absolutely necessary in some contexts and the secured communication provided by other means.
You mentioned that you want to find a solution for a security application. A secured connection should be always used in that context.
You absolutely need HTTPS even if you are using JWTs and JWEs. HTTPS allows your client to verify that they are talking to the server they are expecting to talk to. It also protects the content of the communication, including the JWT/JWE tokens that you are using. Without HTTPS, anybody who can listen to the communication between your client and your server can impersonate your clients.
JWTs in particular can carry information about your user. You may not need to forward it to the authorization server that granted the token (if you are using an asymmetric signing key) and still have enough information about the identity and permissions of your user to grant or deny them access to the resources that you are protecting.
More of a question of understanding rather than looking for a technical solution. I'm on a team working to build an iOS application that needs database support. We're using Swift for the application code. A Django REST API wraps a MySQL database on the backend. The two are communicating over HTTP using Swift's NSURLSession class.
We will be passing password information over one of the http requests, and so we want to up the requests to HTTPS. On the API side we can force traffic through SSL middleware using django-ssilfy.
My concern is that including this library does nothing on the client-side. As far as I know we will only need to change the url to include 'https://' rather than 'http://'. It seems that the data passed will only be secure once it reaches the API, rather than over the entire connection.
Is there anything we must do to secure the data being passed over the NSURLSession on Wi-Fi and mobile networks? Or is simply pointing the session at an API view that is throttled through a SSL port enough to ensure the request is secure?
Please let me know if I am way off track or if there is any steps other than django-ssilfy that I should take in order to make all http communication secure!
Go SO!
This question is more about whether or not SSL is secure, and less about if any of the tools that are being used make it less secure.
Luckily the Information Security Stack Exchange has your answer with an in-depth explanation as to how TLS does help secure your application.
When it comes to securing your Django site though, django-sslify is a good start, but it's not the magic cure to security issues. If you can, it's recommended to not serve insecure responses, which works well for API hosts (api.github.com is one example), but not if your API is hosted on the same domain as your front-end application. There are other Django apps available that are recommended, such as djang-secure (parts of which were integrated into Django 1.8).
You should also follow the Django security recommendations, and revisit them with new major releases. There are other resources you can look at, like "Is Django's built-in security enough" and many other questions on the Information Security Stack Exchange.
What are the advantages of using an HTTP Adapter in Worklight IBM to retrieve data from a Restful API instead of an ajax request? I think that using ajax is faster so why would one use such an adapter?
Take a look at the documentation and getting started modules.
Benefits of IBM Worklight adapters
Adapters provide various benefits, as follows:
Fast Development: Adapters are developed in JavaScript and XSL. Developers employ flexible and powerful server-side JavaScript to produce succinct and readable code for integrating with back-end applications and processing data. Developers can also use XSL to transform hierarchical back-end data to JSON.
Read-only and Transactional Capabilities: IBM Worklight adapters support read-only and transactional access modes to back-end systems.
Security: IBM Worklight adapters use flexible authentication facilities to create connections with back-end systems. Adapters offer control over the identity of the user with whom the connection is made. The user can be a system user, or a user on whose behalf the transaction is made.
Transparency: Data retrieved from back-end applications is exposed in a uniform manner, so that application developers can access data uniformly, regardless of its source, format, and protocol.