I have a project in which there will be a web API to "communicate" with mobile applications. This is for reference only. In addition to this, there will be the administration in which it is summed up in the inclusion of the data.
The question would be on the part of the administration, is it safer to use a web application with "direct" access to the DB or to use the API's web resources? Taking into account the necessary security applied in both cases.
He who is well done and by someone who understands security. That is, either, if it is well done.
If any of them had less security or should use. If you encounter a security problem it should be a bug to fix.
If you do not understand what you are doing and all the implications of everything you do then both are unsafe, not because they were built like that, but because those who did not have the conditions to make it secure.
Insecurity is explored by people who understand much of what they do against what has been done by people who understand little or nothing.
And to learn what it does is not to learn cake recipes, it is to learn all the fundamentals in depth, only then will you understand everything that can happen and mitigate them. That is, to make sure you have to know as much as anyone who exploits security holes.
If you have an area that you can not pretend to know, you can not keep track of revenues, but security is not enough because even the biggest insecurities do not yet have revenues.
Of course, most systems, especially web, are extra vulnerable because they are made because they are not even aware of the basics and make very basic mistakes that have been solved for decades.
When systems were not web they were safer for the simple fact that few people could access. Now everyone can, can not trust anything external, have to protect themselves from everything that is known and what does not know. And today one has the idea that anyone can program, when in fact it has become much more difficult. So today the overwhelming majority of applications are insecure and vulnerable and the vast majority of servers are or will be operating in crackers service, some for years or decades without the person knowing.
If you take into account that the programmer has done everything right, both are equal safe.
Even if one was safer, what use does it have to use if the one you need to use is the other one?
I would not recommend using DDD in any application. Unless, of course, if it is very suitable for that application, you totally dominate the subject, and have a good implementation of it (and I will give a hint, not even the creator of the term did a good, which generates atrocities). I do not know what this does here, but I thought it best not to go blank on this myth, and that somehow it would help security, on the contrary, so I see people out there applying wrong DDD, creating dubious own mechanisms to replace which already exists that is considered as safe, security only tends to worsen, especially because people do not see what is happening. Actually anything that is applied to everything is already wrong by definition. Even the biggest DDD advocates do not use it at all.
An example of how people do not understand security is that they voted to close the question as based on opinions. Security exists or does not exist. It is measurable and even without measuring it is public knowledge about the condition of technologies, and the inherently insecure are considered obsolete and only uses who does not read documentation (what few do, and not even begin to talk about security with who does this, some 80, 90%). Okay, I understand that someone might have voted for some kind of bias or inattention, but it's important to know that too.
Both are safe, security is given by the quality of the programmer, use what meets your need, and propose to be a complete professional or pass to anyone who can help in the matter and do not buy myths. Accept that you do not understand security, that's what I do, and research to at least not make the basic mistakes most people make or even realize.
Those who understand this and act accordingly make systems safer, those who think that they make safe systems without noticing this are deluding themselves, and many experienced people do so.
I hope you enjoy the tips.
