> Do employ the same security mechanisms for your APIs as any web application your organization deploys. For example, if you are filtering for XSS on the web front-end, you must do it for your APIs, preferably with the same tools.
> Don't roll your own security. Use a framework or existing library that has been peer-reviewed and tested. Developers not familiar with designing secure systems often produce flawed security implementations when they try to do it themselves, and they leave their APIs vulnerable to attack.
> Unless your API is a free, read-only public API, don't use single key-based authentication. It's not enough. Add a password requirement.
> Don't pass unencrypted static keys. If you're using HTTP Basic and sending it across the wire, encrypt it.
> Ideally, use hash-based message authentication code (HMAC) because it's the most secure. (Use SHA-2 and up, avoid SHA & MD5 because of vulnerabilities.)
We'll be getting into greater technical depth on REST web service security issues and methods at the RSA Conference 2010 [www.rsaconference.com], session ID AND-203. Hope to see you there!
Chris Comerford is lead architect at Stratus Security Technologies (www.stratusec.com) and former principal engineer at RSA Security/EMC.Pete Soderling is founder and CEO of Stratus Security Technologies (www.stratusec.com) and founder and CEO of mechanikal, a software development agency.