I was talking with a couple developers a while ago about security. They had developed a really nice security framework allowing users to be granted role based access to their application. Based on the user’s role(s), Buttons and Controls would appear or be hidden, restricting the user experience to the permissions they had been granted through their roles.
The whole design was really cool, flexible, extensible, and did everything they needed. Then, they had a hacking test performed on the application, and found that all of their endpoints had no encryption, and required no authentication. Anyone with a simple sniffer, like Fiddler, could capture their REST requests and be able to attack their system with freedom.
I’m not sure how often this is the implementation strategy. Many companies have all their applications executing behind their own firewall, and have a false sense of security. The point is, even if you are using REST data access methods, you still need to plan as if users can gain access to the network where your web server resides, and be able to manipulate REST requests outside of your application. Even if the application is only accessed inside your WAN, your exposure to malcontent employees is great.
Do you secure your internal websites with certificates? Please help others by sharing your experience and best practices in our comments?
Cheers,
Ben