By Darryl K. Taft
December 4, 2007
BOSTON -- The rise of mashups and similar technologies has given
developers a way to build simple applications, but they're also opening
up a new world of security issues.
The risks involved with mashups and SAAS (software as a service) come
because of the amount of sensitive data that can be exposed on the
Internet. However, Jeremy Burton, CEO of Serena Software, which released
its enterprise mashup platform Dec. 3, said the benefits of the
technologies can outweigh the risks.
"There are definitely security risks involved when exposing any URL on
the Internet which contains confidential data behind it," Burton said at
the XML 2007 conference here Dec. 3. "But the productivity of mashups
and economics of SAAS are so compelling that enterprises will take steps
to manage the risk and reap the benefits. A trip in a jet airliner has a
thousand times more risk than a horse and cart but amazingly everybody
still uses it."
Burton spoke after a panel discussion at the show regarding the future
of XML on the Web. Mashups rely on Web services to work, as they are
combinations of various services. Web services are typically XML-based,
and HTML is the language needed to design Web pages, upon which mashups
Rene Bonvanie, senior vice president of worldwide marketing for partners
and online services at Serena, said that with mashups, "there are
multiple layers at which security can be instrumentedfirst of all, at
the source systems; second at the SOA [service-oriented
architecture]/middleware architecture level; and third at the mashup
There's no inherent security in SAAS, said Ron Schmelzer, an analyst
with ZapThink. "You have to explicitly design that in," he said. "And by
explicit, that means you have to design authentication and authorization
into the way that the service responds to consumers. Furthermore, you
have to deal with a new bread of denial-of-service attack that can
target Service dependencies."
Mashups, by their nature as a composition of services, don't introduce
new security issues, Schmelzer said.
"The security issue in composition is the problem of security context in
which you have to deal with the fact that composing different systems
might mean trying to span different identity domains, which is a
significant problem for companies that have not made a prior investment
in identity management systems," he said.
That said, the security issue is not a fatal flaw for SAAS, mashups and
SOA, Schmelzer said.
"It just needs to be addressed," he said. "Properly designed SOA, SAAS
or mashups can be every bit as secure as any other enterprise
application system, which means [they can be] as good as the
nothing really new done to HTML since 1999, which has led to security
problems and security risks down the line for technologies such as
"We've been so distracted by XML that HTML has not gotten the attention
it needs," said Crockford, who was on the panel at the show..
Moreover, he said, "mashups are interesting but, unfortunately, because
of security problems, they're just too dangerous. We have to address the
security problems of the platform and get them right. Mashups allow for
taking data from several sources. The problem we have is there's no way
of protecting the various agents from each other."
In addition, an acquiring server can't know if it is getting the right
thing, he said. A vicious script could get "full access to the screen
and can ask anything of the user, including their password. It's
Michael Day, founder of YesLogic and the architect of the Prince
formatter, said XML does have a future on the Web, if only as a server
technology. XML seems to have gone the way of other technologies, such
as Java, that started out as client-side technologies and ended up in
the server realm, Day said.
"XML is still a vital part of the server infrastructure in many
systems," he said.
Crockford said XML will continue to be vital because "once something
gets into the enterprise, it can take generations to get it out. You can
still buy a COBOL compiler. XML is clearly trending down; it is not
going to replace HTML on the Web."
Michael Sperberg-McQueen, a member of the technical staff at the World
Wide Web Consortium and one of the original editors of XML 1.0, also
said XML has a future on the Web.
"There were 200 or so people involved in the formation of XML,"
Sperberg-McQueen said. "One goal was very simple; I wanted to be able to
write things in descriptive markup using a vocabulary I was familiar
Moreover, "we won," Sperberg-McQueen said. "Every major browser supports
the display of XML and client-side XSLT [Extensible Stylesheet Language
Transformations]. XML will die when you rip it out of my cold, dead
Visit InfoSec News