Back in the old days — we’re talking, three, four years ago — there was a huge debate about the best approach to developing Web services: SOAP (Simple Object Access Protocol) or REST (Representational State Transfer).
They’re not languages, mind you. People who know about such things refer to them as “styles.” REST became sort of the hipster style, used primarily online, and SOAP was a more conservative style, with a lot more rules, so it suited enterprises. There were a lot of service-oriented architectures built with SOAP services.
Times change, and so do styles. REST is no longer edgy, but is the preferred style for APIs and widely used. And SOAP … well, SOAP may be headed the way of the dodo.
Scott Morrison, the CTO of Layer 7 Technologies, an API management company, said REST seems to be taking over in the enterprise today.
“We thought, OK, people are going to keep doing SOAP inside and on the outside, they're going to go 100 percent REST because they're going to use REST for integrating to mobile devices and even partners now,” Morrison said. “But here’s what really we found that was interesting, and we didn’t expect this: It turns out that even in the enterprise, people are moving very aggressively towards REST. So even if they have existing SOAP in the enterprise, for all the same reasons that REST makes sense outside, maybe with the exception of mobile devices, they're also using it inside.”
Layer 7’s API management platform was designed mostly with the outside user in mind, which means it’s very REST friendly. But recently, enterprises have been using it to deploy REST services inside the firewall.
Morrison estimates that about 50 percent of the internal deployments are now with REST.
“That really struck us,” he said. “All of these ideas about REST are just as relevant and just as attractive to somebody who’s doing app-to-app communications behind the firewall. And that’s something that’s really bared out for a while now.”
So, it seems SOAP was holding enterprises back.
This isn’t in my recent Q&A with Morrison, but I did ask him what happens when you use a tool like Layer 7 to convert SOAP services to REST, particularly when it comes to security.
Morrison replied that it means security is handled differently. With SOAP, you could drill down to the message and if, for example, that message included a credit card number, you could encrypt just that number. While that seems like a great feature, in reality, most companies don’t need it or use it incorrectly, in ways that leave security holes, he said.
REST, on the other hand, uses SSL, which is simpler to use for most developers. While mistakes can still be made, it’s easier to get right, he explained, which in the long run makes it more secure than SOAP done wrong. The tool helps map that translation, too, he added.
“Turn SSL on. We’re big advocates of just turning SSL on for almost everything,” he said. “It’s cheap, so you might as well just do it.”