CRM Newsletter
 
NEWSLETTERS
 

CIO.com updates, insights and advice on technology, management and your career.

 CIO ERP
 CIO Enterprise Applications
 CIO Strategy & Innovation
 CIO Project Management
More Newsletters | Edit Profile
 
RSS Feeds »
 
 
LEADERSHIP
 
CIO Executive Programs
The Leader in Face-to-Face Education for Senior Executives

Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »

 
CIO Executive Council
A Peer-Advisory Service and Professional Association for CIOs

Mid-Market CIO Panel: Tips and Techniques for Improving Vendor Relationships

July 15, 4:00 PM - 5:00 PM U.S./Eastern (GMT-4)

We'll highlight relationship priorities and best practices identified in a Council study, and we'll interact with a CIO panel on the approaches they've used to improve strategic vendor partnerships.

Secrets of Successful Vendor Contract Negotiations for the Mid-Market

Sept. 10, 2009, 11:00 AM - 12:00 PM U.S./Eastern (GMT-4)

On this free public Council teleconference, Matthew A. Karlyn, attorney at Foley & Lardner in Boston, will share tips on negotiating tactics and new, creative contract terms to help mid-market CIOs make better deals.

Executive Competencies Assessment Tool

Assess Your Business Leadership Skills with the Council's new benchmarking tool. Rate yourself in change leadership, strategy, customer focus and more.

More / Register »

Learn more about the CIO Executive Council »



 
 
RESOURCE CENTER
 

buy a link »

Ads by TechWords
 
 
SUBSCRIBE TO CIO
 
Are you involved in setting the direction for your company's IT budget or strategy?

Apply today for a FREE subscription to CIO Magazine!

Subscription Services »
Reprints »

 
 
Feature
 

How to Get a Grip on Ajax Security

Ajax, today's tool of choice for developing Web 2.0 applications, opens up a wider attack surface for old security vulnerabilities. Do most enterprise developers understand the risks?

 

By Rick Cook

October 12, 2007CIO

Ajax (Asynchronous JavaScript and XML), the technology of choice today for building powerful, interactive Web applications, comes at a price. If developers aren't careful they will pay that price in security.

Most developers writing Ajax applications don't work for software companies, but inside large enterprises. Unfortunately a lot of the Ajax community doesn't understand the potential risks, security experts say.

"We're not seeing security consciousness with developers, we're not seeing it with the people writing frameworks, and we're not seeing it with the quality-assurance testers," says Billy Hoffman, lead researcher at security firm SPIdynamics. "Developers assume the client is going to work a certain way and they don't think about what happens if the client doesn't work like that."

But the bad guys do think about security weaknesses, and they're getting progressively better at exploiting them via Ajax.

For the most part, Ajax doesn't present new security problems—although there are a few new types. Mostly it presents old challenges in new ways, says Pete Lindstrom, a senior analyst for Burton Group. First, Ajax can offer a considerably larger attack surface for old vulnerabilities. Also, the lack of familiarity with Ajax security can compound that problem.

The Trouble with Ajax
As compared to Web 1.0 applications, Web 2.0 technologies such as Ajax in effect split an application, to offload a lot of the processing onto the client browser. This makes for a more flexible, responsive application, but it also exposes functionality previously handled on the server.

"The big change is that the amount of logic and smarts that is no longer on the server can expose immature applications to problems," says Kevin Henrickson, director of engineering at Zimbra, which makes an Ajax-based e-mail application.

This split is the main reason Ajax applications have a much larger attack surface than older Web applications.

"From a security standpoint this [division] introduces two flavors of problems," says Brian Chess, chief scientist and a founder of security firm Fortify Software. "First, it's a more complex system. You've got these two smart things interacting and there's more room for all kinds of errors." What's more, "because we have a much richer client interface we have much harder applications to test," Chess adds.

Top Mistakes to Prevent
The first rule of Ajax security, Henrickson says, is protect the server. "That's where you enforce your security. At the end of the day you can't trust the client," he says. "You have to have a way of ensuring that the person is authenticated and that the person making the request is the one you want getting data."

 
 
Loading...
 
WHITE PAPERS

The Gartner Magic Quadrant for IT PPM Applications

This report evaluates 19 vendors on their ability to execute and completeness of vision.
 

Brocade and Imperva: Providing Best-of-Breed Products

Web applications have become the backbone of business in nearly every segment of the economy.
 

How is Open Source Changing the Face of Enterprise Software?

Ensure success with your Operational Performance Management initiative.
 

Improve Code Quality Across Your Software Organization

Address developer skills and software processes, and you will eliminate many software quality issues.
 

5 Tips for Data Loss Prevention Solutions

RSA® The Security Division of EMC has identified 5 key considerations to help organizations simplify the evaluation process for selecting a DLP solution that is right for their business.
 

Communications Transformation Platform

The Communications Transformation Platform enables you to provide the services your customers demand - faster, cheaper and with less risk.
 

WEBCASTS

Managing Client Systems in the Enterprise

Keeping client systems costs under control is just one of the many initiatives IT must address when trying to manag...
 

IT Consolidation Made Easy

The Primary IT Initiative for Reducing Costs
 

Webcast with Dan Vesset: Investing in Business Analytics Technology

What exactly is business analytics and why should you care? Dan Vesset of IDC and Gaurav Verma of SAS answer this a...
 

Capitalize on Your SAP Content

After 18 years of partnership and over 3,000 successful customer deployments, Open Text has become SAP's premier pa...
 

Enterprise Cloud Computing: Ready for Primetime?

The progression toward enterprise cloud computing is happening today, as industry leaders deploy technologies that ...
 

Preparing Your Business Services for the Future

Would you trust your network monitoring tools enough to know when something is truly halting a business service? Wh...
 

Resource Alerts

Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.

 
FEATURED SPONSORS
 
 
 
SPONSORED LINKS
 

How Open Source is Changing the Face of Enterprise Software

The Link Between Effective Online Business Banking and Web 2.0

Reduce risk, gain agility. See how Progress can help your business.

Improve ROI, lower TCO and reduce energy consumption.

Introducing the new HP ProLiant G6 server family

Accenture: Outsourcing for Competitive Advantage. More...

Better spam protection with Postini for just $1/user/mo

Introducing the new HP ProLiant G6 server family

infoBOOM! - The Mid-Sized Company CIO's Exclusive Community

Accenture IT Consulting: Logical meets technological. More . . .

The Fraudster Economy Model: Operating a Business in the Underground

Payback in 9 months with CA Spectrum solutions

The Case for Investing in Business Analytics Technology. Read white paper.

Live Webinar: Applying Business Analytics. Click here to learn more

Seven Ways ITIL Can Help You in an Economic Downturn

Developing A Dynamic, Real-Time IT Infrastructure

Maximizing the Business Value of the PC Infrastructure

Communications and Collaboration Needs at Business Organizations

Using Open Source to Deploy Web Applications

Cloud Computing: Read about VMware's compelling vision & set of products

Enterprise PBX Buyer's Guide

Secondary Market Primer: Your Network at Half Price

How Interactive Viewer Reduces the Effort to Meet Visualization Requirements

Stop Application Fraud at the Source with Device Reputation

Learn about the VMware vSphere (TM) & Intel (R) Xeon (R) Processor 5500 Series

Software Executives: Take Control of Your Organization's Code Quality

Forrester: Implementing Rich Internet Applications

64-page prescriptive guide to security, compliance, and IT operations.

Get Google Enterprise Search for your business information.

Accenture IT Consulting: Enabling high performance. More...

Top Five CIO Challenges

Insight makes it easy to spend your Microsoft subsidy check.

Five minute business analytics assessment. Immediate results.

Dangerous Collaboration Practices: 5 Ways IT Can Minimize Risk

Accenture: Outsourcing for uncertain times. Click to learn more.

Keep online transactions fast with CA Wily APM

Get agile IT security with CA Security Management

Trade in your old laser printer and get up to $1000 back!

Taking the Service Desk to the Next Level

Revolutionizing Enterprise Application Deployment

Why Data Loss is Increasing--and What You Can Do About It

Data Loss Prevention: A Better Way to Approach Security

Learn how to managing client systems in the enterprise.

Build a High-Performance Open Web Platform

Mid-Sized Company CIO Community: infoBOOM!

Enterprise PBX Comparison Guide

Getting Value from Outdated Networking Equipment

Top-line Performance that's Bottom-line Efficient

White Paper: 8 Key Ingredients to Building an Internal Cloud

Read about virtualization and consolidation effort best practices