Everybody knows that REST is simple and easy to use, while SOAP is complex and difficult. However, one of the things which made SOAP complex is its security model. All those specifications starting with WS-* : WS-Security, WS-Trust, WS-SecureConversation, WS-Policy… The list goes on.
But at least SOAP had a security model. With REST, security is less established. It’s the “Wild West” (the “Wild REST”) in terms of security.
So how can you secure REST APIs? Can you treat them just like Websites and apply SSL and some Web Application Firewalling techniques? Do threats like SQL Injection even apply? And what about OAuth?