Gaps In Your Software Security
Web 2.0, AJAX create more places for attacks to gain entry
By SD Times News Team
February 1, 2007 —
(Page 1 of 4)
They used to talk about buffer overflows, cross-site scripting errors and SQL injections. But today talk from application security tool makers is all about AJAX and Web 2.0.
If the shifting conversation is any indication, the old threats—essentially techniques hackers use to attack applications—are a thing of the past, replaced by new types of attacks, unique to AJAX (Asynchronous JavaScript and XML) and Web 2.0.
But nothing could be further from the truth, according to application security tool makers. The old threats are alive and well, and the newer technologies have not given rise to fundamentally new types of attacks. But three key factors are changing the application security landscape, steering the conversation in a new, bigger-picture direction.
First, like other tool makers, those that sell application security offerings are eager to reposition their tools around the current hot technologies, leading to “a lot of chatter around AJAX and Web 2.0,” said Ed Adams, president and CEO of software security consultancy Security Innovation. “They are the latest and greatest technologies.”
Second, the application security market, relatively unknown only a few years ago, is moving out of its earliest phase. And rather than focus on highly technical details pertaining to SQL injections and cross-site scripting errors, for example, tool makers are emphasizing the root cause of these flaws: the need to validate input to Web applications.
“We need to stop chasing the vulnerabilities one by one,” said Danny Allan, strategic research analyst for Watchfire, which sells application security tools, among other offerings.
Theresa Lanowitz, who heads research firm Voke, agreed. But she also pointed out that app security tool makers are emphasizing the big picture in order to better position their offerings to business decision makers. “The CIO does not want to [listen to you] talk about buffer overflows. If you do, he’ll send you to development.”
The third, and most important, reason the app security conversation is changing is that AJAX and Web 2.0 have in fact made Web applications more vulnerable, most of the tool makers agreed. By definition, both technologies are highly responsive to the user, and that has created a “bigger attack surface,” said Bryan Sullivan, a development manager for application security tool maker SPI Dynamics. In the past, when applications accepted input through a single form, “there was one door to secure. But with AJAX and Web 2.0, there are many, many more [entry points].” And each represents an opening a hacker could exploit, he said. “Think about a bank, versus a shopping mall. There’s one door for the bank, but hundreds of doors for the shopping mall. And they all have to be guarded.”
Share this link: http://sdt.bz/30090
Most Read Latest News Blog Resources
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists
|
|
ComponentOne Releases a Collection of 40+ UI Widgets Powered by HTML5 and jQuery
ComponentOne has announced the 2012 release of Wijmo: a kit of UI widgets for HTML5 and jQuery development
|
|
Illumination Software Creator 4.2 adds 'Portal Blocks'
Radical Breeze today released version 4.2 of Illumination Software Creator for Linux, MacOS X and Windows
|
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists
|
|
Not so fast when it comes to testing in the cloud
Developers face outsourcing, virtual lab management and mobile devices as obstacles
|
|
Xceed releases UX-focused suite for Microsoft’s WPF
"Blendables" helps match user experiences to developer visions
|
Are you at risk for burnout?
Burnout is a severe problem and it can strike at any time. Here's how to tell if you are nearing the edge.
|
|
Agility, mom, and apple pie
If we're to evaluate the state-of-the-art in software development, we should start with the values espoused in the Agile Manifesto.
|
|
RIM woos developers with free tablet
How do you get more apps ported to the BlackBerry PlayBook? By giving every developer a free tablet, of course!
|
|
GitHire: Use Headhunters to Find Your Perfect Programmer
Are you a hiring manager tired of scouring the job boards? Check out this new service that will find 5 people interested in your jobs.
|
The Hidden Costs of Software Licensing
Moving beyond paper-based software licensing to more flexible, software-based licensing is a business decision. There is a growing trend tow...
|
|
Case Study: You May Need a Development Mechanic
As a contractor for a major financial player in Germany, SOBEGE, a German-based consultancy specializing in embedded IT and web services, wa...
|
|
Ensuring Software Quality at a Major International Bank
One of the world’s leading international banks has adopted AgitarOne technology for delivering generated unit tests for their Java software...
|
|
Load Testing Adobe Flex Applications
Adobe Flex applications may be different from applications you’ve worked with before. For classic HTML web applications, the server does all...
|