I’m not a huge fan of security and everything that is associated with it. That’s not because I don’t think it’s important; I actually think it’s critical in both networking and application development. But, rather, it’s just not my thing and I’ve usually been in technology areas where security is important, but somewhat peripheral.
That being said, I attended a couple of sessions at Web2Expo today where security issues were a takeaway in both.
First, Jacob West (who’s written a book on security) gave an interesting talk on the “Dark Side of Ajax.” It’s not news that Ajax has some significant security holes that have been exposed already and are somewhat well known. Some examples:
- Cross-Site Request Forgery (CSRF or XSRF) is nasty and exploits websites that need user authentication (among other things)
The big picture point that seems to be obvious to me is that Ajax security is an issue and it’s not really being solved efficiently – at least not yet. It seems to be totally greenfield and there’s going to be a lot of opportunity for vendors (networking products, browsers, apps, etc) to do something about it. I just hope they start soon.
The other session I attended had to do with APIs and how they’re a big driver for how web applications are being developed these days. One of the interesting takeaways for me was an initiative called OAuth which addresses the authentication issue with APIs. APIs are currently mostly using HTTP’s Basic Authentication mechanism and OAuth seems to be a new way to leverage HTTP’s headers to create a token-based authentication mechanism for APIs. The best thing about it: it’s an open protocol that hopes to grow up to be a standard. I’ve always been a fan of those!