The number of applications that are based on a client side MVC architecture, such as mobile native applications (iOS or Android) or client-side MVC web frameworks (AngularJS, React, etc.), that consume RESTful services is increasing exponentially.
The security risks associated with those environments are very similar in many cases to the traditional web risks associated to server side MVC architectures based on traditional web frameworks such as Spring MVC, Grails or JSF.
In other words, even though the complexity level to implement attacks against those kind of client side MVC architectures can be higher in some cases, the existing risks remains almost the same, basically because many of the risks are server side risks that don’t depend on the client side technology.
Analyzing the traditional OWASP Top 10 web risks we can consider almost all of them are relevant to this new scenarios, excepting XSS risk within native mobile applications that don’t use any web rendering feature.
So the question is, how can we protect this services based applications against the traditional OWASP Top 10 web risks?
HATEOAS is a constraint included within REST application architecture that in addition to the already well known benefits such as discoverability and decoupled architecture, can help to improve your applications security. Unlike REST implementations without HATEOAS, where the clients determine what they can do next, HATEOAS proposes a new approach where the server doesn’t only return data. It returns data and hypermedia artifacts giving the client a way to determine the available set of actions that can be performed at a given point based on the state of the server application workflow.
The talk at Spring I/O will present an innovative approach to automate the protection of Spring HATEOAS services against OWASP Top 10 security risks, through the integration between Spring HATEOAS and Hdiv.