REST API Notes for 2017/09/11 - Roy's Reflections


Last week, Roy T. Fielding, originator of the Representational State Transfer style (REST), co-published a major recap of his work. Entitled "Reflections on the REST Architectural Style and 'Principled Design of the Modern Web Architecture'", it is available for download via Google Research. The paper is accompanied by slides from the keynote talk given at the joint European Software Engineering Conference and the ACM SIGSOFT Symposium (ESECFSE).

These works are worth your time for several reasons. First, the original dissertation, while fine in its time, is a bit much for someone new. It is certainly not where I direct people looking for a thorough, yet approachable, introduction. The recap still hits the salient points, but does so in a more succinct manner, concentrated with time and perspective.

Second, there's a facinating attempt to articulate what comes after REST and, no, it isn't GraphQL. Honestly, I hadn't heard of ARRESTED, CREST, or COAST software architectures. Each represents additional aspects added to REST to address limitations of the initial style. This is some heady stuff; this is the section that, in part, mentions Bitcoin and Ethereum's smart contracts.

The third, and final, section was the biggest surprise to me. Here, the authors ruminate on the changing research environment. They make a case that the long doctoral process that supported the creation of the REST architectural style was born from a unique set of circumstances. The concern seems to be that similar work, articulating the kind of software design on the "scale of decades" and focused on "longevity and independent evolution", is no longer possible. It's a sobering vision of the future that I hadn't expected in what, otherwise, should have been a victory lap.


Prior to last weekend, Equifax announced a leak of names, addresses, dates of birth, social security numbers, and (in some cases) driver and credit card numbers for 143 million Americans. If you're concerned, there's some initial steps you should take. However, I mention that news here because it appears the hackers exploited a flaw in Apache Struts handling of REST calls. The problem was the way the Equifax's Struts implementation parsed data sent to the server. When successfully exploited, a malicious payload was hidden inside of benign looking requests. That payload was then executed when Struts attempted to convert it. Organizations who use Struts, a popular framework for Java application development, should upgrade their components immediately to avoid being similarly exploited.


As previously mentioned, I'm hiring! Are you familiar with enterprise software systems, love working with developers, and looking for professional growth? Some familiarity with message queuing or event driven architectures is a big plus (Kafka, RabbitMq, and/or Anazon Simple Queue Service [SQS]). For more information, check out the listing.

My fellow co-worker and speaker at API events, Irakli Nadareishvili, is also hiring for an Application Security Engineer. If you enjoy big security challenges on an exciting greenfield opportunity, give his listing a look.

Finally, if you have an upcoming in-person API-related event that isn't captured on, respond and let's get it listed! I'm pleased to announce that I'll be speaking at API World 2017 at the end of the month. My topic is "An API Governance Blueprint for Successful IT Culture Change". If that sounds pertinent to your current work, let me know - I'm happy to workshop beta versions of the talk with interested parties prior to the big stage.

Til next time,
@libel_vox and

Subscribe to Net API Notes

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.