Web2Expo – an inadvertent foray into security issues

I’m not a huge fan of security and everything that is associated with it. That’s not because I don’t think it’s important; I actually think it’s critical in both networking and application development. But, rather, it’s just not my thing and I’ve usually been in technology areas where security is important, but somewhat peripheral.

That being said, I attended a couple of sessions at Web2Expo today where security issues were a takeaway in both.

First, Jacob West (who’s written a book on security) gave an interesting talk on the “Dark Side of Ajax.” It’s not news that Ajax has some significant security holes that have been exposed already and are somewhat well known. Some examples:

  • Cross-site scripting lets malicious users insert bad javascript code into the content of a website and harm future visitors (the famous Myspace worm exploited this).
  • Cross-Site Request Forgery (CSRF or XSRF) is nasty and exploits websites that need user authentication (among other things)
  • And a new one called javascript hijacking that Jacob has actually written a paper on.

I’ve seen similar presentations at other Ajax/web2.0 events and it’s interesting to me how it’s a lot of talk about how there are problems and very little about what’s being done about them. Mr. West did talk about how some popular Ajax frameworks are addressing the javascript hijacking issue, which is great. But, what happens with the next vulnerability, and the one after that?

The big picture point that seems to be obvious to me is that Ajax security is an issue and it’s not really being solved efficiently – at least not yet. It seems to be totally greenfield and there’s going to be a lot of opportunity for vendors (networking products, browsers, apps, etc) to do something about it. I just hope they start soon.

The other session I attended had to do with APIs and how they’re a big driver for how web applications are being developed these days. One of the interesting takeaways for me was an initiative called OAuth which addresses the authentication issue with APIs. APIs are currently mostly using HTTP’s Basic Authentication mechanism and OAuth seems to be a new way to leverage HTTP’s headers to create a token-based authentication mechanism for APIs. The best thing about it: it’s an open protocol that hopes to grow up to be a standard. I’ve always been a fan of those!