A Formal Approach to Secure Design of RESTful Web APIs Using SOFL.

A primary concern in the design and development of a RESTful Application Programming Interfaces (APIs) is API security. A RESTful API provides data over the network using HTTP and must not violate any of its security properties. When APIs are designed, the functional and security properties are inextricably linked thus security requirements of an API cannot be treated as afterthoughts. We therefore propose an approach to specifying and verifying APIs functional and security requirements with the practical formal method SOFL (Structured-Object-oriented Formal Language). We convert an API specification written in an API description language into SOFL while expressing security requirements as constraints on the APIs functional requirements and dataflow between the API’s trust boundaries. The verification of the specifications can be carried out using specification-based conformance testing. We apply this approach to a model of an online banking API as a case study using Django REST Framework and analyze its results.