IT DRILLDOWN
 
NEWSLETTERS
 

CIO.com updates, insights and advice on technology, management and your career.

 
 
 
LEADERSHIP
 
CIO Executive Programs
The Leader in Face-to-Face Education for Senior Executives

Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »

 
CIO Executive Council
A Peer-Advisory Service and Professional Association for CIOs

Public Teleconferences
Join CIO Executive Council members and participate in the following live teleconferences:

* Planning for Succession:
Models for IT Leadership Development, June 23
* Change Leadership at General Growth Properties: A
Pathways Leadership Development Seminar, June 25
* Managing Change: Centralizing Your IT Organization
July 29

More / Register »

Learn more about the CIO Executive Council »



 
 
RESOURCE CENTER
 
 
 
SUBSCRIBE TO CIO
 
Are you involved in setting the direction for your company's IT budget or strategy?

Apply today for a FREE subscription to CIO Magazine!

 
 

Feature

 

How to Get a Grip on Ajax Security

Ajax, today's tool of choice for developing Web 2.0 applications, opens up a wider attack surface for old security vulnerabilities. Do most enterprise developers understand the risks?
 

October 12, 2007CIO — Ajax (Asynchronous JavaScript and XML), the technology of choice today for building powerful, interactive Web applications, comes at a price. If developers aren't careful they will pay that price in security.

Most developers writing Ajax applications don't work for software companies, but inside large enterprises. Unfortunately a lot of the Ajax community doesn't understand the potential risks, security experts say.

"We're not seeing security consciousness with developers, we're not seeing it with the people writing frameworks, and we're not seeing it with the quality-assurance testers," says Billy Hoffman, lead researcher at security firm SPIdynamics. "Developers assume the client is going to work a certain way and they don't think about what happens if the client doesn't work like that."

But the bad guys do think about security weaknesses, and they're getting progressively better at exploiting them via Ajax.

For the most part, Ajax doesn't present new security problems—although there are a few new types. Mostly it presents old challenges in new ways, says Pete Lindstrom, a senior analyst for Burton Group. First, Ajax can offer a considerably larger attack surface for old vulnerabilities. Also, the lack of familiarity with Ajax security can compound that problem.

The Trouble with Ajax
As compared to Web 1.0 applications, Web 2.0 technologies such as Ajax in effect split an application, to offload a lot of the processing onto the client browser. This makes for a more flexible, responsive application, but it also exposes functionality previously handled on the server.

"The big change is that the amount of logic and smarts that is no longer on the server can expose immature applications to problems," says Kevin Henrickson, director of engineering at Zimbra, which makes an Ajax-based e-mail application.

This split is the main reason Ajax applications have a much larger attack surface than older Web applications.

"From a security standpoint this [division] introduces two flavors of problems," says Brian Chess, chief scientist and a founder of security firm Fortify Software. "First, it's a more complex system. You've got these two smart things interacting and there's more room for all kinds of errors." What's more, "because we have a much richer client interface we have much harder applications to test," Chess adds.

Top Mistakes to Prevent
The first rule of Ajax security, Henrickson says, is protect the server. "That's where you enforce your security. At the end of the day you can't trust the client," he says. "You have to have a way of ensuring that the person is authenticated and that the person making the request is the one you want getting data."

 
 
 
 
 
 
Loading...
 
 
ABCs
 

How To Do Nearly Anything

Just the basics, please. Sometimes we all need a refresher or we need to make sure our team and our colleagues are all on the same page.

Over 25 tutorials on everything from business intelligence to virtualization.

 
 
FEATURED SPONSORS
 
 
 
SPONSORED LINKS
 

Efficient by design: Watch this flash demo of the Quad-Core AMD Opteron Processor

Renowned Engineering Institution Chooses AMD Processor-Based Servers

Establishing a Strategy for Global Distributed Development

Oracle 9i Database Upgrade Management Services - Upgrade with Confidence

Cost-Effective Data Center 1U Server Solutions

Automate Business Processes - Try a Free Mashup Composer

Read Forrester's advice for deploying an enterprise mobile solution

Do the math-calculate the impact of mobile device deployment on your bottom line

Easily manage the Mac in your Enterprise

GET YOUR VoIP ONTM! Win 2 Years of Hosted VoIP from Cypress. $100,000 retail value. Enter today!

Build up or Tear down? See how UC makes sense with Nortel. Calculate your UC ROI

Speed, agility, flexibility - The HP BladeSystem c-Class

See why 93 of the Fortune Global 100 depend on Blue Coat.

White Paper: How Visualization Can Fix Business Software Problems

Oxford International Modernizes Vehicle Order Management System

Learn about the Three Pillars of Data Protection

Putting Open source to the test

Juniper Networks is changing the economics of networking with a no-compromise, highperformance and service-oriented approach

Research about the efficiencies created by different operating systems.

IT Outsourcing: To Rebid or Renegotiate Webcast

Create and Run Any Application On-Demand

A New Generation of Software as-a-Service (SaaS) Solutions

Master Data Management: The Approach Determines the Results

Executive Strategies to Achieve Consistent Performance & Availability across the Enterprise

Implementing Knowledge Management

HP and Oracle deploy unbreakable computing infrastructure at Replacements, Ltd.

White Paper: Assess Your SOA

Oracle & SUN Team to Rise Above the Upgrade Challenge

Extending the Enterprise Network Through Mobility

Microsoft System Center - Designed For Big

Choose a mobile device platform with familiar programs and simplified management

Improve device management - Microsoft® System Center Mobile Device Manager

Explore the interactive whitepaper: Rightsizing Blades for the mid-market

Easily integrate the Mac in your Enterprise

Reducing Data Center Costs with Data Deduplication: A TCO Analysis

Telwares helps firms validate, manage and optimize their telecom spend

TDWI Research report clears confusion about automating data governance

Taking Document Automation to the Next Level

Webcast: Transformation of Application Development

Webcast: Building an Optimized Infrastructure

How to Avoid the Worst Practices in Business Intelligence

White Paper: Juniper Networks Ethernet Switching Solutions Reduce Operational IT Expenses

Webcast: Learn why companies must invest in an agile network infrastructure

White Paper: Businesses Thrive by Unifying Business Communications

Run Desktop and CRM Applications Side by Side with Salesforce & Google

User Interface as a Service - Visual Force

The Combined Power of Salesforce and Google Apps

Unified Communications Software: The Death of VoIP?

Learn how industry leaders systematically evolve their systems forward to maximize results while minimizing risks

Enhancing Online Sales and Support