Web 2.0 application development techniques introduce new information security risks - Information Security Magazine - Page 1

Web 2.0 application development techniques introduce new information security risks

Ajax, Java and other dynamic application coding methods have pulled computing power over to the client, introducing new risks and resurrecting old ones.


The world of Web application development has recently been re-energized through the advent of Ajax technologies. Through these techniques, Web sites can appear to be more dynamic and interactive, giving the user the experience of a desktop application but with the ease of deployment and maintenance that comes with a server-based application. Enterprises have embraced this combination as a way to minimize deployment costs while maximizing user satisfaction.

Yet these technologies and techniques carry a security risk. The difference between traditional Web applications and newer Web 2.0 Ajax applications is the amount of logic, data and processing that occurs on the client side. No longer are users merely dealing with HTML and Flash, but with complex programmatic logic in the form of JavaScript and sometimes massive amounts of structured data in the form of XML or JavaScript Object Notation (JSON). This carries a twofold problem: the exposure of business logic to the end user; and the possible creation of new threat vectors against the application. Enterprises need to understand the nature of these applications, and whether the threats associated with Ajax are a new breed or simply another

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

way to look at the same old problems of distributed Web application security.

GETTING CLOSER TO AJAX
Ajax is a catchall description for a collection of development practices and technologies that have existed for some time. At its heart, it is the ability of a browser to send asynchronous requests to a server, and to respond to them through custom JavaScript code instead of simply rendering the response to the screen. There are other ancillary technologies included in these abstract terms: visual effects, interactive components such as rich-text editors, data serialization and more. However, these are largely subordinate to the primary goal: allow a browser to act like an asynchronous client and bypass the browser's default behavior for rendering responses.

Ajax apps are not Web services, RESTful or otherwise, that are designed for consumption by other software. Web-based apps are functionally designed to be experienced via a browser. Securing browser-based applications requires securing the user--who wants to protect his private data--and the application, which wants to secure user data and its code. In the context of an Ajax app, it's essential to prevent private data from leaking from the client to the server, and that an application user's data does not leak from the server to a client. Also, sensitive information from the server should not be passed to any clients.

This was first published in November 2007

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top