I subscribe to the "End to End Web Developers" group on LinkedIn. Today, someone posted a question "Is Parse a Secure Solution". I typed up a nice long response in my Sublime Text editor and pasted it into the response field only to be rejected because it was too long. So, here is my entire response.
As the article you linked to mentions, "There are some obvious measures you can take to protect your data". Parse and it's brethren (Kinvey, StackMob, Backendless, Azure, etc) are no less secure than any server side code you develop in a traditional LAMP Stack.
As far as the API being exposed (also demonstrated in your link), that is no big deal either. Any attacker could look at a "traditional" web application and use built-in browser tools, add-ons, or sniffers like Charles or WireShark to inspect everthing the app sends over the wire. So, if you have a REST API, they can see how to handle all types of data processing - CRUD. They can collect a list of all users, delete users, add data, etc.
In your "what if" scenario of creating 1M users in a few hours, how is that any different than your backend? If there is a signup form, I can programatically fill that form out all day long using browser tools or cUrl and send you submissions. How do you stop that? Don't you want users to signup? Parse is no more vulnerable to this than your backend or Facebook.
Now, comes the important part. As with ANY client server architecture, a good developer NEVER trusts data from the client. First, any serious application will require authentication. I'm sure your LAMP stack or Java or whatever application does this. Guess what? Parse, Kinvey, Backendless, Azure, etc all have authentication available to the developer. The developer decides what type of authentication to use. Then, the developer decides what access controls to put on any collection ( basically "table"). The developer decides if the collection is private, shared, read-only, etc. Next, just as with your LAMP stack, the DEVELOPER is responsible for data validation and security. That developer must ensure on EACH request that the data change is permissible for that user. They must ensure the data meets validation requirements. The developer can have before-save, on-save, and after-save triggers for every CRUD event. This is the exact same thing a developer should be doing on any other client/server architecture.
So, "Is Parse a secure solution?" Yes, it is as secure as the developer makes it. BaaS providers are inherently no less secure than any "you own it" backend architectures.
Anyone else have input on this?
- Signup to find out when Kids In Touch launches