Solution Centers

MORE

Everything Else

Virtual Conferences

Security Directions
On demand until December 30, 2009

Navigating Through Dynamic Times by Cisco
On demand until November 20, 2009

Ways to connect with CIO

all RSS RSS Feeds

Subscribe to All of CIO.com

Subscribe to Mobile

Subscribe to Web 2.0

Subscribe to Careers

Subscribe to ERP

CLOUD COMPUTING

Drilldowns

Beats

Cisco Undervalues Tandberg, Investment Firms Say

TECHNOLOGY
- Infrastructure
  - Cloud Computing
  - Network
  - Security
  - Client
    - Desktop
    - Laptop
    - Laptop - Macbook
    - PDA
  - Server
    - Load Balancing
  - Mobile
  - Operating Systems
    - Windows
    - Windows - Vista
    - Linux
    - Mac
    - Mac - Leopard
    - Unix
    - Other
  - Data Center
  - Virtualization
- Applications
- Development
  - Open Source
  - Eclipse
  - Java
  - .NET
  - Agile
  - Web Services
- Architecture
  - Enterprise Architecture
LEADERSHIP

IT DRILLDOWN

Cloud Computing

CRM Newsletter

NEWSLETTERS

CIO.com updates, insights and advice on technology, management and your career.

LEADERSHIP

CIO Executive Programs

The Leader in Face-to-Face Education for Senior Executives

Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »

CIO Executive Council

A Peer-Advisory Service and Professional Association for CIOs

Public Council Teleconference: Application Rationalization — Hidden Costs and Smart Decisions

November 17 at 11:00 am US/Eastern (GMT-5)

Join Honorio Padrón, of The Hackett Group, who will share the drivers for companies to tackle application rationalization and the results of research that define the hidden cost of complexity. Additionally, we will discuss key decision milestones—to start or not, holding the course steady and fulfilling expectations.

Virtual Desktop Cost-Benefit Analysis — Michael Jacobs, Catlin Group

The analysis contained in this presentation measures the cost of everything from the machines and licenses to the infrastructure for virtual vs. traditional desktop environments.

Honor your best senior team members - Apply for the CIO Ones to Watch Award

Get well-earned public recognition for your top up-and-coming team members, your IT organization and your enterprise. Award winners will be announced, publicized and feted in May 2010, great timing to help attract new IT recruits to your company.

More / Register »

Learn more about the CIO Executive Council »

RESOURCE CENTER

buy a link »

Feature

How to Get a Grip on Ajax Security

Ajax, today's tool of choice for developing Web 2.0 applications, opens up a wider attack surface for old security vulnerabilities. Do most enterprise developers understand the risks?

Leave a comment

By Rick Cook

October 12, 2007 — CIO —

Ajax (Asynchronous JavaScript and XML), the technology of choice today for building powerful, interactive Web applications, comes at a price. If developers aren't careful they will pay that price in security.

Most developers writing Ajax applications don't work for software companies, but inside large enterprises. Unfortunately a lot of the Ajax community doesn't understand the potential risks, security experts say.

"We're not seeing security consciousness with developers, we're not seeing it with the people writing frameworks, and we're not seeing it with the quality-assurance testers," says Billy Hoffman, lead researcher at security firm SPIdynamics. "Developers assume the client is going to work a certain way and they don't think about what happens if the client doesn't work like that."

But the bad guys do think about security weaknesses, and they're getting progressively better at exploiting them via Ajax.

For the most part, Ajax doesn't present new security problems—although there are a few new types. Mostly it presents old challenges in new ways, says Pete Lindstrom, a senior analyst for Burton Group. First, Ajax can offer a considerably larger attack surface for old vulnerabilities. Also, the lack of familiarity with Ajax security can compound that problem.

The Trouble with Ajax
As compared to Web 1.0 applications, Web 2.0 technologies such as Ajax in effect split an application, to offload a lot of the processing onto the client browser. This makes for a more flexible, responsive application, but it also exposes functionality previously handled on the server.

"The big change is that the amount of logic and smarts that is no longer on the server can expose immature applications to problems," says Kevin Henrickson, director of engineering at Zimbra, which makes an Ajax-based e-mail application.

This split is the main reason Ajax applications have a much larger attack surface than older Web applications.

"From a security standpoint this [division] introduces two flavors of problems," says Brian Chess, chief scientist and a founder of security firm Fortify Software. "First, it's a more complex system. You've got these two smart things interacting and there's more room for all kinds of errors." What's more, "because we have a much richer client interface we have much harder applications to test," Chess adds.

Top Mistakes to Prevent
The first rule of Ajax security, Henrickson says, is protect the server. "That's where you enforce your security. At the end of the day you can't trust the client," he says. "You have to have a way of ensuring that the person is authenticated and that the person making the request is the one you want getting data."

1 | 2 | 3 |next page »

Print

Share [+]

RELATED ARTICLES

TOOLS

Comments

LinkedIn

RELATED

WHITE PAPERS

Top 10 Business Drivers

The restructuring of Wall Street that took place in 2008 will have a major impact on the investment management business in 2009.

How is open source changing the face of enterprise software?

Learn how open source and business intelligence ignite enterprises to reach new levels of performance excellence.

Red Hat Open Source Security

The rapid innovation and collaboration of open source development helps Red Hat provide industry-leading security tools and processes.

Now is the Time for Open Source

In today's economy, we are all trying to do more with less. Another modern business necessity is flexible, mobile data and systems-complex IT.

Bridging the IT Visibility Gap in Complex Composite Applications

Composite Application Management

Enhance the Performance of your Data Center

Enhancing performance through Virtualization realizes operational efficiencies and offers reliability.

WEBCASTS

IT Consolidation Made Easy

The Primary IT Initiative for Reducing Costs

CIOs Weigh In On Virtualization

Date: November 19, 2009 Time: 2:00 PM EST

Gary Beach, publisher emeritus of CIO magazine,...

Webcast- Vantage 11: Redefining Application Performance Management

Redefining Application Performance Management

Architecting Business Intelligence Applications for Change: The Open Solution

Architecting BI Applications for Change

Taking a Seat at the Executive Table: The Reality of Virtualization

This year, for the first time, the number of virtual machines is on track to exceed the number of physical machines...

Who Are the Data Center Leaders?

Today's data center is still very much a heterogeneous environment. Gabriel Consulting recently surveyed over 250 d...

Resource Alerts

Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.

Update Fixes IPhone Sync Problem with Windows 7 for Some

Cisco Undervalues Tandberg, Investment Firms Say

Exchange 2010: Why I'm Using It to Say Bye-Bye BlackBerry

Four Reasons to Buy (and One Reason to Avoid) the Droid

Data Center Start-Up Offers Energy Saving Software

US Lawmakers Propose Changes in Telecom Subsidies

Microsoft Office Battles Google in the Cloud

Droid Launch Draws Tech-Savvy Crowd to Verizon Store

Cisco Undervalues Tandberg, Investment Firms Say

The Search Market Created Microsoft's Worst Enemy

WHITE PAPERS

TowerGroup 2009 Top 10 in Investment Management

Open Source: Transforming Data into Dynamic Information Ecosystems

Red Hat Open Source Security

Now is the Time for Open Source

Composite Application Management: Bridging the IT Visibility Gap in Complex Composite Applications

Server Consolidation: Leveraging the Benefits of Virtualization

Service Level Management Best Practices Service Level Reporting and Communication

Server Refresh Analysis

CIO eGuide: Inside the Next-Gen Data Center

The Total Economic Impact™ of the Informatica Platform and Integration Competency Centers

Cutting the Cost of Enterprise Databases

Selective Sourcing: The CIO Calls the Shots

8 Elements of Vulnerability Management

How Desktop Virtualization Changes the Game for IT

Virtualization 2.0: The Desktop Revolution

Tokenless Two-Factor Authentication: It Finally Adds Up

Advancing Innovation, Controlling Costs

Secure Email and Web-Based Communication from Evolving Attacks

Gaining the Performance Edge Using a Column-Oriented Database Management System

10 Ways Excel Drives More Value from Your SAP Investment

More White Papers »

FEATURED SPONSORS

SPONSORED LINKS

Disciplined Autonomy: Resolving the Tension Between Flexibility and Control

Enterprise Capture: Your Onramp to Business Process Automation

Seven Technologies for Advanced Mail Protection

Server Consolidation: Leveraging the Benefits of Virtualization

Join us at the US-Brazil IT-BPO Summit, on November 10th in New York.

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion

Read the RSA report: Security for Business Innovation

Webcast: Looking to the Cloud for Email and Collaboration Services

64-page prescriptive guide to security, compliance, and IT operations.

Keep your IT expertise up to date. Join the Intel Premier IT Professionals.

A new fleet of PCs with a total ROI in 10 months. Find your ROI.

eZine: A Roadmap to Reducing IT Complexity

Reduce risk, gain agility. See how Progress can help your business.

Virtualization Technology as a Business Solution

eZine: A Roadmap to Reducing IT Complexity

World-class trading technology solutions from NYSE Technologies.

If You're Paying for Telecom, You're Paying Too Much. Contact Asentinel Today.

Trade-In your old printer and save up to $1,000 plus free recycling!

infoBOOM! - The Mid-Sized Company CIO's Exclusive Community

Live Webinar: Applying Business Analytics. Click here to learn more

White Paper: 4 Customer Service Myths

Mobile Security: The Essential Ingredient for Today's Enterprise

White Paper: Improve Agility with Operational Responsiveness

White Paper: 5 Best Practices for Smartphone Support

Global Research: CIOs Weigh In On Virtualization

Tolly Group Lab Test Results: Cisco vs. ShoreTel

SETLabs: The Impact of Performance Engineering

Top to Bottom Performance Management Excellence at the City of Chicago

See how AT&T can help protect your network.

Top Five CIO Challenges

Streamline IT Costs. Boost Performance with WAN Optimization.

Want to know how you can maximize employee productivity?

Build your 1st app FREE with Force.com

TDWI checklist helps define data readiness for analytics. Download report.

Increase UPS efficiency without sacrificing protection.

A Clear View Toward Virtualization

Virtualization Technology as a Business Solution

The rules of infrastructure management just changed.

A Clear View Toward Virtualization

Interactive Q&A helps you discover key ways to maximize IT assets.

Ready to virtualize tier one applications? Check your virtualization maturity.

Think you can't afford a Cisco Switch? Cisco Catalyst Switches are now more affordable.

Five minute business analytics assessment. Immediate results.

The Case for Investing in Business Analytics Technology. Read white paper.

White Paper: Right-Sizing Your Power Infrastructure

Webcast: Unleashing the Power of Customer Data

White Paper: Managed Security for a Not-So-Secure World

SharePoint - Unchecked growth of content is unsustainable.

White Paper: Legacy Tools: Not Built for the Helpdesk

Taking a Seat at the Executive Table: The Reality of Virtualization

© 1994 - 2009 CXO Media Inc.