Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/17

Click to flip

17 Cards in this Set

  • Front
  • Back

What is REST?

REpresentational State Transfer. A software architecture style consisting of guidelines and best practices for creating scalable web services.

4 Principles of REST

- Server returns representation of data


- resources maintained by the server are separate from the representations returned to the client


- server will return any format - not limited to the internal data structure


- Data is maintained through representation


- resources on the server are manipulated via the representations issued to the clients


- When a client holds a representation of a resource, including any metadata attached, it has enough information to modify or delete the resource


- Self-descriptive messages


- Each message describes how it should be processed


- E.g. content type (HTML, XML, JSON)


- Hypermedia as application state


- REST is stateless - no client state stored on server


- Application state is transferred using hypermedia (Hypermedia is an extension upon hypertext including audio, video and text)


- Representation should contain information to allow access to related resources (e.g. a URI to related items)

Features of REST

- Separation of concerns between UI and core business data


- Makes use of generic HTTP methods


- Stateless data representation


- Platform/language independence


- Transmission protocol independence


- Security is transmission protocol dependent


- Cachable (assuming idempotent calls)

What is SOAP?

- Simple Object Access Protocol. An XML representation of data, most often HTTP. SOAP is a successor of XML RPC.

3 SOAP characteristics

- Extensibility


- Neutrality (any transport protocol)


- Independence (any programming model)



Features of SOAP (other than 3 characteristics)

- Envelopes data (HTTP also envelopes SOAP for transmission - ends up being cumbersome)


- Relies on metadata


- Implements end-to-end processing


- SOAP cannot be cached. HTTP Soap is sent via HTTP-POST, which is non-idempotent, and thus is not cachable


- SOAP security is not transport protocol dependent


- SOAP is not self-descriptive - need WSDL to describe

What is RPC?

Remote Procedure Call. A protocol that a program can use to call a procedure on a remote machine.

Features of RPC

- Issues with platforms (Android doesn't support RPC)


- Issues with communication through firewalls


- A synchronous operation


- RPC makes it easier to develop an application that includes multiple programs distributed in a network


- Favours a structured programming style with clearly defined interfaces


- Makes a remote call look like a local one

What is a Web Service?

A Web service is a method of communication between two electronic devices over a network. RPC, REST and SOAP are examples of web services.

OWASP top 10

1. Injection


2. Broken authentication


3. Cross-site scripting


4. Insecure direct object reference


5. Security misconfiguration


6. Sensitive data exposure


7. Missing Function Level Access Control


8. Cross-Site Request Forgery


9. Using Components with Known Vulnerabilities


10. Unvalidated redirects and forwards

Top API Security Techniques

- Identification


- Authentication


- Authorisation

Identification

- Generally through API key


- Included in each API request


- API can monitor usage


- Not encrypted as default, so easily discovered - used for audit rather than security


- Stop unauthorized applications from flooding system

Authentication

- Username/password


- OAuth (3rd party provides proxy authentication)


- HTTP basic authentication is easiest and most common


- Username/Password encoded using Base64


- Typically used over HTTPS


- SAML - Security Assertion Markup Language - secure distribution of public keys to clients inline with WS-security specifications

Authorisation

What the users can see/do. Programmed as part of application logic

API Best Practises

- Status Codes


- Rate limiting


- Documentation

URI

Uniform Resource Indicator.

URL

Uniform Resource Location. Location of a resource. URL can be a URI.