Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »
Public Teleconferences
Join CIO Executive Council members and participate in the following live teleconferences:
* Planning for Succession:
Models for IT Leadership Development, June 23
* Change Leadership at General Growth Properties: A
Pathways Leadership Development Seminar, June 25
* Managing Change: Centralizing Your IT Organization
July 29
Apply today for a FREE subscription to CIO Magazine!
Feature
How to Get a Grip on Ajax Security
Ajax, today's tool of choice for developing Web 2.0 applications, opens up a wider attack surface for old security vulnerabilities. Do most enterprise developers understand the risks?October 12, 2007 — CIO — Ajax (Asynchronous JavaScript and XML), the technology of choice today for building powerful, interactive Web applications, comes at a price. If developers aren't careful they will pay that price in security.
Most developers writing Ajax applications don't work for software companies, but inside large enterprises. Unfortunately a lot of the Ajax community doesn't understand the potential risks, security experts say.
"We're not seeing security consciousness with developers, we're not seeing it with the people writing frameworks, and we're not seeing it with the quality-assurance testers," says Billy Hoffman, lead researcher at security firm SPIdynamics. "Developers assume the client is going to work a certain way and they don't think about what happens if the client doesn't work like that."
But the bad guys do think about security weaknesses, and they're getting progressively better at exploiting them via Ajax.
For the most part, Ajax doesn't present new security problems—although there are a few new types. Mostly it presents old challenges in new ways, says Pete Lindstrom, a senior analyst for Burton Group. First, Ajax can offer a considerably larger attack surface for old vulnerabilities. Also, the lack of familiarity with Ajax security can compound that problem.
The Trouble with Ajax
As compared to Web 1.0 applications, Web 2.0 technologies such as Ajax in effect split an application, to offload a lot of the processing onto the client browser. This makes for a more flexible, responsive application, but it also exposes functionality previously handled on the server.
"The big change is that the amount of logic and smarts that is no longer on the server can expose immature applications to problems," says Kevin Henrickson, director of engineering at Zimbra, which makes an Ajax-based e-mail application.
This split is the main reason Ajax applications have a much larger attack surface than older Web applications.
"From a security standpoint this [division] introduces two flavors of problems," says Brian Chess, chief scientist and a founder of security firm Fortify Software. "First, it's a more complex system. You've got these two smart things interacting and there's more room for all kinds of errors." What's more, "because we have a much richer client interface we have much harder applications to test," Chess adds.
Top Mistakes to Prevent
The first rule of Ajax security, Henrickson says, is protect the server. "That's where you enforce your security. At the end of the day you can't trust the client," he says. "You have to have a way of ensuring that the person is authenticated and that the person making the request is the one you want getting data."
Customer Integration Wins at Invitrogen
Next Generation B2Bi Services for Companies of All Sizes
Internet's Largest Book Retailer Scores Big with B2B Customers
Moving Past Enterprise Single Sign-On (SSO): Securing Internet SSO
Success Story: Weather.com handles whatever nature serves up
Driving More Effective Business Processes with SOA
Integration as a Service: Are you connected?
People, Processes, and SOA: Oracle Fusion Middleware and the Responsive Enterprise
Balancing Your Innovation and Efficiency Platforms for Competitive Advantage and Responsiveness
Model, Execute, and Optimize: Oracle Fusion Middleware and the BPM lifecycle
HP Puts Its Disaster-tolerant Capabilities to the Test
Enabling the Global Enterprise
Resource Alerts
Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.
Lithuania: Attacks Focused on Hosting Company
Google Bows to Pressure, Adds 'Privacy' Link to Home Page
TSMC Says 2Q in Line Or Better After Major Customer Falls
Asustek to Offer Eee PC with Built-in 3G Wireless
Asustek's Latest Eee PCs Shipping in Asia in July
Lenovo Seeks Prestige in Price-Sensitive Market
Microsoft's Silverlight Draws Patent Suit
A Tale of Two City Wi-Fi's
Google Under Pressure As App Engine Requests Rise
Wall Street Beat: IT Slumps in First Half
How To Do Nearly Anything
Just the basics, please. Sometimes we all need a refresher or we need to make sure our team and our colleagues are all on the same page.
Over 25 tutorials on everything from business intelligence to virtualization.
