When did we decide managing Users through Cloud REST architecture was more secure than having them in an underlying DB?

Because I can't put my finger on exactly why... but I don't like it and I think it's probably less secure... and just spawned from the need to be able to make user management a subscription based service like fucking everything? When a simple MySQL or postgres and some bcrypt somewhere would be both more secure and infinitely cheaper?

I'm more used to consuming REST API's than writing them. Can any you REST peeps help me understand how a REST API could be made as secure as a SQL DB connection for user management?

What do you think the attack vectors are for a REST API User Management? Like... what's the SQL injection of REST API? Pack some extra JSON somewhere or something?

At least if I can have faith my shit's not gonna get hacked because I have to use a 3rd party REST service for User Management of Users to my own fucking app I can maybe sleep tonight.

  • 1
    The only risk is that you don’t know how to use/configure it properly. Other than that, it is just an API, well I mean you communicate with SQL via an API, the only difference this time is you are using HTTPS.

    From a software design perspective, abstracting logic for user management away from low level data layer is a good idea, since you never know when you need to switch database engine, or are required by law to use a separate data enter to store sensitive identity information. Always nice to have abstractions so you don’t need to spend months later to change everything.
  • 1
    I mean... a REST API is not storage, there is some storage mechanism somewhere behind it, probably a SQL DB or Document storage (NoSQL).

    As for security... It depends on the implementation and infrastructure setup.
    Is it a private Cloud? Are firewall rules tight? Is everything HTTPS? Is the storage properly locked, layers deep in your networking setup? Is the storage encrypted? Are auth tokens hashed and salted? Where do you keep the backups? Is the dev account access control to the cloud setup tight enough?... Just to name a few... if you're building your own cloud.

    If you're buying a service, then you should probably check if it's been independently audited, when and by who. I think Auth0 has a pretty good track record... But then again I've never used them.
Add Comment