However, the IBM release boldly declared mashups attractive for business use, "as they allow non-technical users to gain insight on complex situations in minutes" by pulling information "from multiple sources, such as websites, enterprise databases or emails, to create one unified view." The release then notes that "as with all Web-based initiatives, security has been a concern," as though it might no longer be a concern now that the world has SMash.
True, SMash, or Secure Mashup, does address a key security issue by "keeping code and data from each of the sources separated, while allowing controlled sharing of the data through a secure communication channel." SMash adds an authentication mechanism that enables each contributing Web service to be verified and shown to be trusted (if the contributor supports SMash).
The idea is that only when a service has been verified as trusted will the application allow API access and permit a script to be executed. But even if SMash proves capable of performing the function reliably, despite the inevitable onslaught of attacks from increasingly well-financed data thieves, there is much more to the security of mashups than "controlled sharing of the data through a secure communication channel."
Consider the firewall. It provides a secure communication channel, right? Not really. A firewall controls which channels are used for communication, but if an authorized user makes a legitimate request for data, the firewall allows the request to go out and the data to come in, even if the data is Trojan code. Detecting and blocking malicious code is not the firewall's job. To some extent, the role of the firewall is often misunderstood, and it has produced a false sense of network security. There is a risk that SMash will do the same for mashups.
Not that IBM doesn't deserve kudos for its efforts to secure mashups. The bottom line right now, however, is that many take issue with the statement by Rod Smith, IBM research fellow and vice president, when he said that, "Security concerns can't be a complete inhibitor or clients lose out on the immense benefit mashups bring."
On the contrary, security concerns should be a complete inhibitor to any technology unless it's clear that the benefits outweigh the risks, and many security folks, including myself, don't see SMash reducing the risks at a faster pace than the bad guys are increasing them.
In the end, many just don't agree with Smith that "as an industry we've learned how to build security into business operations from the ground up instead of tacking it on after the fact."
Related Q&A from Michael Cobb
Expert Michael Cobb explains how an HTTP referer header affects user privacy and outlines changes that can be made to ensure sensitive data is not ...continue reading
Expert Michael Cobb explains the difference between the REESSE3+ and IDEA block ciphers and explores when each is applicable in an enterprise setting.continue reading
While cookies are critical to delivering personalized Web content, they are a privacy concern. Learn how adding Bloom filters to cookies can help ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.