However, the IBM release boldly declared mashups attractive for business use, "as they allow non-technical users to gain insight on complex situations in minutes" by pulling information "from multiple sources, such as websites, enterprise databases or emails, to create one unified view." The release then notes that "as with all Web-based initiatives, security has been a concern," as though it might no longer be a concern now that the world has SMash.
True, SMash, or Secure Mashup, does address a key security issue by "keeping code and data from each of the sources separated, while allowing controlled sharing of the data through a secure communication channel." SMash adds an authentication mechanism that enables each contributing Web service to be verified and shown to be trusted (if the contributor supports SMash).
The idea is that only when a service has been verified as trusted will the application allow API access and permit a script to be executed. But even if SMash proves capable of performing the function reliably, despite the inevitable onslaught of attacks from increasingly well-financed data thieves, there is much more to the security of mashups than "controlled sharing of the data through a secure communication channel."
Consider the firewall. It provides a secure communication channel, right? Not really. A firewall controls which channels are used for communication, but if an authorized user makes a legitimate request for data, the firewall allows the request to go out and the data to come in, even if the data is Trojan code. Detecting and blocking malicious code is not the firewall's job. To some extent, the role of the firewall is often misunderstood, and it has produced a false sense of network security. There is a risk that SMash will do the same for mashups.
Not that IBM doesn't deserve kudos for its efforts to secure mashups. The bottom line right now, however, is that many take issue with the statement by Rod Smith, IBM research fellow and vice president, when he said that, "Security concerns can't be a complete inhibitor or clients lose out on the immense benefit mashups bring."
On the contrary, security concerns should be a complete inhibitor to any technology unless it's clear that the benefits outweigh the risks, and many security folks, including myself, don't see SMash reducing the risks at a faster pace than the bad guys are increasing them.
In the end, many just don't agree with Smith that "as an industry we've learned how to build security into business operations from the ground up instead of tacking it on after the fact."
This was first published in July 2008