make a database call that is probably SQL injectable, and have no
session authentication to protect the transaction"
So the summary here is that people who should be fired will continue to write bad code? This issue is nothing to do with AJAX security and everything to do with bad practice, poor design and a lack of understanding of how systems work. Its fine for security folks to talk about not repeating the bone-head mistakes of before in these applications, but one of the big problems has always been that security people fail to innovate in ways that make things simpler, which means they are always doing catchup on new technologies.
Rather than complaining that people should avoid stupid mistakes it might help more if there were people actually solving the distributed and federated trust model in a way that makes it simple to use. Its one of the big challenges (along with federated data) that Shadow IT gives to organisations and so far the security world's only response has been "don't do that".
<<Popular programming initiatives such as services-oriented
architectures and dynamic Web user interfaces are destined to fail if
they're not developed with security in mind.
This was the sentiment Tuesday at the Software Security Summit in
Baltimore, where application security vendors promised that those who
forget past software development mistakes--particularly when cool new
features trumped security--are destined to repeat those mistakes on
the Web.
"I want people to think about input validation, error handling, and
other security matters before they create a Web service," Jeff
Williams, CEO of security services firm Aspect Security, said
Tuesday. Otherwise, SOAs that push complexity behind the scenes and
emphasize application interoperability will create of a system of
insecure services sharing information.
Although the vendors here had an obvious self-interest in stirring
things up, concerns over security aspects of Web services have been
growing for several years. Simply put, it's just more difficult to
bake-in protection in a distributed world.
In a worst-case scenario, instead of an attack on a Web application
exposing some credit-card numbers, an attack could expose all credit
card numbers, Williams added, pointing out that Web services only
work "when you can trust the relationships between applications."
Dynamic Web coding languages such as Ajax, or Asynchronous _javascript_
and XML, also require careful attention to security. Ajax
applications access data in smaller increments, which lets them serve
pages faster and provide the user with a smoother experience. "This
is a huge hurdle for developing and testing securely," says Joe
Basirico, manager of technology and security services with Security
Innovation, a provider of software security testing and training
services.
"If an attacker can figure out your Ajax data request layout, which
depends on factors such as the type of data being requested and the
permissions needed to access data, they can figure out how to access
data without having the authorization to do so," says Basirico, who
spent two years as a programmer with Microsoft.
Ajax is the technology underlying Google Maps, GMail, Microsoft's own
MSN.com and Hotmail. Ajax allows a Web application to interact with a
user without constantly downloading HTML pages, making software on
the Web act like it's running locally on a PC.
This technology has captured the imagination of companies throughout
the software industry. IBM in late January announced an "Open" Ajax
initiative and donated software that allows developers to work with
Ajax on the Eclipse programmer's workbench. This move was backed by a
number of significant software and Web companies, including BEA
Systems, Google, Mozilla, Novell, Oracle, Red Hat, and Yahoo. Open
Ajax members met last month to advance their plans for standardized,
openly developed specifications and tools for Ajax. Microsoft is even
planning to offer Ajax-style programming technology code-named Atlas,
which will be included in the next version of Visual Studio.
But attacks within Ajax environments are already a reality. A teenage
programmer known as "Samy" last year inserted code in his MySpace Web
site user profile so that those viewing his profile would have their
own profiles corrupted. "The MySpace hack was the first Ajax worm and
consisted of a cross-site script that automatically added [Samy's]
profile to the friends list of many MySpace users," says Caleb Sima,
chief technology officer of Spi Dynamics, a provider of Web
application security and testing technology.
In an Ajax environment, the application makes frequent calls to a
database, a characteristic that "increases your attack surface," Sima
says.
With a more conventional Web application, a user would, for example,
fill out an online form to apply for a new bank account and submit
that form for approval. A programmer could add Ajax or Web services
capabilities to that application by immediately alerting the user if
information is entered improperly in different fields, even before
the form is submitted. "These Web services are all making calls to a
database," Sima says. "Most developers will throw a Web service up,
make a database call that is probably SQL injectable, and have no
session authentication to protect the transaction."
Such oversights compromise the security of Web applications as well
as the databases they access.>>
You can read this at:
http://www.soapipeline.com/188702749
Gervas
__._,_.___![]()
SPONSORED LINKS
Computer software Computer aided design software Computer job Soa Service-oriented architecture
YAHOO! GROUPS LINKS
- Visit your group "service-orientated-architecture" on the web.
- To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
- Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
__,_._,___
- Re: [service-orientated-architecture] Greenemeier... Steve Jones
- Re: [service-orientated-architecture] Greene... Keith Harrison-Broninski
Reply via email to
