Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, December 04, 2007

Mashups, SAAS Present Security Risks

Experts say the techologies and their building blocks, XML and HTML, have inherent security flaws.  The rise of mashups and similar technologies has given developers a way to build simple applications, but they’re also opening up a new world of security issues.  The risks involved with mashups and SAAS (software as a service) come because of the amount of sensitive data that can be exposed on the Internet.  However, Jeremy Burton, CEO of Serena Software, which released its enterprise mashup platform Dec. 3, said the benefits of the technologies can outweigh the risks.  “There are definitely security risks involved when exposing any URL on the Internet which contains confidential data behind it,” Burton said at the XML 2007 conference here Dec. 3.

Web services are typically XML-based, and HTML is the language needed to design Web pages, upon which mashups reside.  “You have to explicitly design that in,” he said.  “And by explicit, that means you have to design authentication and authorization into the way that the service responds to consumers.  Mashups, by their nature as a composition of services, don’t introduce new security issues, Schmelzer said.

“The security issue in composition is the problem of security context in which you have to deal with the fact that composing different systems might mean trying to span different identity domains, which is a significant problem for companies that have not made a prior investment in identity management systems,” he said.  That said, the security issue is not a fatal flaw for SAAS, mashups and SOA, Schmelzer said.

Douglas Crockford, a senior JavaScript architect at Yahoo who is know for discovering the JavaScript Object Notation, said there’s been nothing really new done to HTML since 1999, which has led to security problems and security risks down the line for technologies such as mashups.  “We’ve been so distracted by XML that HTML has not gotten the attention it needs,” said Crockford, who was on the panel at the show..

Michael Day, founder of YesLogic and the architect of the Prince formatter, said XML does have a future on the Web, if only as a server technology.  XML seems to have gone the way of other technologies, such as Java, that started out as client-side technologies and ended up in the server realm, Day said. 

http://www.eweek.com/article2/0,1759,2227704,00.asp?kc=EWRSS03119TX1K0000594

Posted on 12/04
WarningsPermalink