I’m not a huge fan of security and everything that is associated with it. That’s not because I don’t think it’s important; I actually think it’s critical in both networking and application development. But, rather, it’s just not my thing and I’ve usually been in technology areas where security is important, but somewhat peripheral.
That being said, I attended a couple of sessions at Web2Expo today where security issues were a takeaway in both.
First, Jacob West (who’s written a book on security) gave an interesting talk on the “Dark Side of Ajax.” It’s not news that Ajax has some significant security holes that have been exposed already and are somewhat well known. Some examples:
- Cross-site scripting lets malicious users insert bad javascript code into the content of a website and harm future visitors (the famous Myspace worm exploited this).
- Cross-Site Request Forgery (CSRF or XSRF) is nasty and exploits websites that need user authentication (among other things)
- And a new one called javascript hijacking that Jacob has actually written a paper on.
I’ve seen similar presentations at other Ajax/web2.0 events and it’s interesting to me how it’s a lot of talk about how there are problems and very little about what’s being done about them. Mr. West did talk about how some popular Ajax frameworks are addressing the javascript hijacking issue, which is great. But, what happens with the next vulnerability, and the one after that?
The big picture point that seems to be obvious to me is that Ajax security is an issue and it’s not really being solved efficiently – at least not yet. It seems to be totally greenfield and there’s going to be a lot of opportunity for vendors (networking products, browsers, apps, etc) to do something about it. I just hope they start soon.
The other session I attended had to do with APIs and how they’re a big driver for how web applications are being developed these days. One of the interesting takeaways for me was an initiative called OAuth which addresses the authentication issue with APIs. APIs are currently mostly using HTTP’s Basic Authentication mechanism and OAuth seems to be a new way to leverage HTTP’s headers to create a token-based authentication mechanism for APIs. The best thing about it: it’s an open protocol that hopes to grow up to be a standard. I’ve always been a fan of those!
Web application security is one of those areas that has received painfully little attention as a whole. Most organizations don’t even know it is something they should be paying attention to. Having been on the vendor side of a WAF (Web Application Firewall) I can’t count the number of times that someone has said that “we have a firewall already” without understanding that was part of the problem.
One of the sinners in this whole discussion are the firewall people! With misleading datasheets, many organizations are duped into believing that their firewalls protect them from such exposures.
Application deliverers are also living in a bit of denial. There is a degree of “that would never happen to me” or “that’s too obscure” which makes them ambivalent. At times, you just need to resist the urge to violently shake them and scream “just because YOU don’t understand it doesn’t mean other’s don’t!”
Great… now I’m getting all worked up. Quit posting things that irritate me.
As a very interested party, but someone who is not knowledgeable of what standards, if any, exist to allow for useful and meaningful security and trust enforcement, analysis, etc, I think you’re both right.
Most mainstream security vendors that provide various types of firewalls and “Internet security” products seem to fall into the trap described by Maslow: When the only tool you have is a hammer, everything starts looking like a nail.
It’s imperative for us to have anti-virus and other anti-malware components on our systems, but more and more, release after release, these tools get more and more bloated, and they continue to slow down and/or interrupt every aspect of using my computer.
The problem of too little attention, as Steve commented on, has manifested itself in the form of what appears to be few good (if any) interfaces for inspecting and assessing security, trust, threats, etc. in web applications, all the while fattening-up existing security products to provide a false sense of security.