Ask the Expert

Can IBM's SMash technology secure Web applications?

How will the new IBM SMash technology secure Web applications if it takes information from multiple sources? Will SMash effectively keep applications secure?

    Requires Free Membership to View

In March, when the press release announcing IBM's contribution of Secure Mashup technology to the OpenAjax Alliance declared "IBM Cracks Web 2.0 Security Concerns With 'SMash,'" you could almost hear the groans from old-time IBMers to whom the idea of mashups -- browser-based applications built by non-technical users cutting and pasting snippets of code pulled from multiple sources -- is bound to seem very frightening.

However, the IBM release boldly declared mashups attractive for business use, "as they allow non-technical users to gain insight on complex situations in minutes" by pulling information "from multiple sources, such as websites, enterprise databases or emails, to create one unified view." The release then notes that "as with all Web-based initiatives, security has been a concern," as though it might no longer be a concern now that the world has SMash.

True, SMash, or Secure Mashup, does address a key security issue by "keeping code and data from each of the sources separated, while allowing controlled sharing of the data through a secure communication channel." SMash adds an authentication mechanism that enables each contributing Web service to be verified and shown to be trusted (if the contributor supports SMash).

The idea is that only when a service has been verified as trusted will the application allow API access and permit a script to be executed. But even if SMash proves capable of performing the function reliably, despite the inevitable onslaught of attacks from increasingly well-financed data thieves, there is much more to the security of mashups than "controlled sharing of the data through a secure communication channel."

Consider the firewall. It provides a secure communication channel, right? Not really. A firewall controls which channels are used for communication, but if an authorized user makes a legitimate request for data, the firewall allows the request to go out and the data to come in, even if the data is Trojan code. Detecting and blocking malicious code is not the firewall's job. To some extent, the role of the firewall is often misunderstood, and it has produced a false sense of network security. There is a risk that SMash will do the same for mashups.

Not that IBM doesn't deserve kudos for its efforts to secure mashups. The bottom line right now, however, is that many take issue with the statement by Rod Smith, IBM research fellow and vice president, when he said that, "Security concerns can't be a complete inhibitor or clients lose out on the immense benefit mashups bring."

On the contrary, security concerns should be a complete inhibitor to any technology unless it's clear that the benefits outweigh the risks, and many security folks, including myself, don't see SMash reducing the risks at a faster pace than the bad guys are increasing them.

In the end, many just don't agree with Smith that "as an industry we've learned how to build security into business operations from the ground up instead of tacking it on after the fact."

More information:

  • Learn how the emergence of Web 2.0 has created e-discovery challenges.
  • See which new attack methods target Web 2.0 and VoIP technology.
  • This was first published in July 2008

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: