Technology changes… but not good security practices!
While trying to brush up on the state of Web Application security, I thought I’d follow a link to an article at White Hat Security on “Myth-Busting AJAX (In)Security“. I had recently had a comment from someone that they had heard “Java Applet use is declining in favour of technologies like AJAX”. However, in a recent CNET podcast, I also heard about how AJAX was being associated with a lot of new Cross-Site Scripting (XSS - I guess CSS was already too commonly used for Cascading Style Sheets…) attacks. So, this warranted some investigation to see what the real story is.
The White Hat discussion on AJAX security by Jeremiah Grossman provides some interesting background information, and helps explain why AJAX is being associated with poor security in some cases.
As for the issue of declining Java Applet usage, I have the feeling that the inherent security model of Java is being abandoned by some developers so they can do more dynamic and exciting things, such as the continuous map scrolling in Google Maps.
The one thing I was happy to see in the Jeremiah’s article was a “Top 5 Tips for Securing Web Applications”…
1) Secure by design. Start secure and stay secure by including security as a component in each stage of the software development lifecycle.
2) Rock-solid input validation. Never trust the client, ever.
3) Use reliable software libraries. From encryption to session management, it’s best to use components that are tried and thoroughly tested. No need to reinvent the wheel and repeat the mistakes of others.
4) Secure configuration. Every component of the website should be configured with separation of duties, least privilege, unused features disabled, and error message suppressed.
5) Find and fix vulnerabilities. Continuous vulnerability assessments are the best way to prevent attackers from accessing corporate and customer data. You can’t control what you can’t measure.
What’s interesting is that these are timeless tips, no matter what technology you are using to implement Web Applications.
Thanks to Mr. Grossman for reminding us of this. It also looks like the White Hat site has many other good articles on Web security.
- Scott
Tara on 28 Jan 2007 at 10:54 pm #
Hello. I came across your comment here: http://ajaxian.com/archives/passpack-and-assl
I see that you managed to find the information you were looking for. XSS over Ajax is a growing problem mostly because the JavaScript in websites is often built by the web developers who are not necessarily security aware.
If an app is built properly, is well tested and the coders are ready to find and fix vulnerabilities, then it’s going to be a safe app. Otherwise, not.