By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
However, the IBM release boldly declared mashups attractive for business use, "as they allow non-technical users to gain insight on complex situations in minutes" by pulling information "from multiple sources, such as websites, enterprise databases or emails, to create one unified view." The release then notes that "as with all Web-based initiatives, security has been a concern," as though it might no longer be a concern now that the world has SMash.
True, SMash, or Secure Mashup, does address a key security issue by "keeping code and data from each of the sources separated, while allowing controlled sharing of the data through a secure communication channel." SMash adds an authentication mechanism that enables each contributing Web service to be verified and shown to be trusted (if the contributor supports SMash).
The idea is that only when a service has been verified as trusted will the application allow API access and permit a script to be executed. But even if SMash proves capable of performing the function reliably, despite the inevitable onslaught of attacks from increasingly well-financed data thieves, there is much more to the security of mashups than "controlled sharing of the data through a secure communication channel."
Consider the firewall. It provides a secure communication channel, right? Not really. A firewall controls which channels are used for communication, but if an authorized user makes a legitimate request for data, the firewall allows the request to go out and the data to come in, even if the data is Trojan code. Detecting and blocking malicious code is not the firewall's job. To some extent, the role of the firewall is often misunderstood, and it has produced a false sense of network security. There is a risk that SMash will do the same for mashups.
Not that IBM doesn't deserve kudos for its efforts to secure mashups. The bottom line right now, however, is that many take issue with the statement by Rod Smith, IBM research fellow and vice president, when he said that, "Security concerns can't be a complete inhibitor or clients lose out on the immense benefit mashups bring."
On the contrary, security concerns should be a complete inhibitor to any technology unless it's clear that the benefits outweigh the risks, and many security folks, including myself, don't see SMash reducing the risks at a faster pace than the bad guys are increasing them.
In the end, many just don't agree with Smith that "as an industry we've learned how to build security into business operations from the ground up instead of tacking it on after the fact."
Dig Deeper on Open Source Security Tools and Applications
Related Q&A from Michael Cobb
Attackers using crafted TIFF images can exploit flaws in the LibTIFF library to carry out remote code execution. Expert Michael Cobb explains how ...continue reading
Companies and government agencies handling criminal justice information need to comply with CJIS Security Policy. Expert Michael Cobb explains the ...continue reading
An Intel chip flaw lets attackers bypass ASLR protection on most operating systems. Expert Michael Cobb explains the vulnerability and how to prevent...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.