AOH :: ISNQ4896.HTM

Mashups, SAAS Present Security Risks

Mashups, SAAS Present Security Risks
Mashups, SAAS Present Security Risks


http://www.eweek.com/article2/0,1895,2227704,00.asp 

By Darryl K. Taft
eWeek.com
December 4, 2007

BOSTON -- The rise of mashups and similar technologies has given 
developers a way to build simple applications, but they're also opening 
up a new world of security issues.

The risks involved with mashups and SAAS (software as a service) come 
because of the amount of sensitive data that can be exposed on the 
Internet. However, Jeremy Burton, CEO of Serena Software, which released 
its enterprise mashup platform Dec. 3, said the benefits of the 
technologies can outweigh the risks.

"There are definitely security risks involved when exposing any URL on 
the Internet which contains confidential data behind it," Burton said at 
the XML 2007 conference here Dec. 3. "But the productivity of mashups 
and economics of SAAS are so compelling that enterprises will take steps 
to manage the risk and reap the benefits. A trip in a jet airliner has a 
thousand times more risk than a horse and cart but amazingly everybody 
still uses it."

Burton spoke after a panel discussion at the show regarding the future 
of XML on the Web. Mashups rely on Web services to work, as they are 
combinations of various services. Web services are typically XML-based, 
and HTML is the language needed to design Web pages, upon which mashups 
reside.

Rene Bonvanie, senior vice president of worldwide marketing for partners 
and online services at Serena, said that with mashups, "there are 
multiple layers at which security can be instrumentedfirst of all, at 
the source systems; second at the SOA [service-oriented 
architecture]/middleware architecture level; and third at the mashup 
platform level."

There's no inherent security in SAAS, said Ron Schmelzer, an analyst 
with ZapThink. "You have to explicitly design that in," he said. "And by 
explicit, that means you have to design authentication and authorization 
into the way that the service responds to consumers. Furthermore, you 
have to deal with a new bread of denial-of-service attack that can 
target Service dependencies."

Mashups, by their nature as a composition of services, don't introduce 
new security issues, Schmelzer said.

"The security issue in composition is the problem of security context in 
which you have to deal with the fact that composing different systems 
might mean trying to span different identity domains, which is a 
significant problem for companies that have not made a prior investment 
in identity management systems," he said.

That said, the security issue is not a fatal flaw for SAAS, mashups and 
SOA, Schmelzer said.

"It just needs to be addressed," he said. "Properly designed SOA, SAAS 
or mashups can be every bit as secure as any other enterprise 
application system, which means [they can be] as good as the 
architects."

Douglas Crockford, a senior JavaScript architect at Yahoo who is know 
for discovering the JavaScript Object Notation, said there's been 
nothing really new done to HTML since 1999, which has led to security 
problems and security risks down the line for technologies such as 
mashups.

"We've been so distracted by XML that HTML has not gotten the attention 
it needs," said Crockford, who was on the panel at the show..

Moreover, he said, "mashups are interesting but, unfortunately, because 
of security problems, they're just too dangerous. We have to address the 
security problems of the platform and get them right.  Mashups allow for 
taking data from several sources. The problem we have is there's no way 
of protecting the various agents from each other."

In addition, an acquiring server can't know if it is getting the right 
thing, he said. A vicious script could get "full access to the screen 
and can ask anything of the user, including their password. It's 
inherently dangerous."

Michael Day, founder of YesLogic and the architect of the Prince 
formatter, said XML does have a future on the Web, if only as a server 
technology. XML seems to have gone the way of other technologies, such 
as Java, that started out as client-side technologies and ended up in 
the server realm, Day said.

"XML is still a vital part of the server infrastructure in many 
systems," he said.

Crockford said XML will continue to be vital because "once something 
gets into the enterprise, it can take generations to get it out. You can 
still buy a COBOL compiler. XML is clearly trending down; it is not 
going to replace HTML on the Web."

Michael Sperberg-McQueen, a member of the technical staff at the World 
Wide Web Consortium and one of the original editors of XML 1.0, also 
said XML has a future on the Web.

"There were 200 or so people involved in the formation of XML," 
Sperberg-McQueen said. "One goal was very simple; I wanted to be able to 
write things in descriptive markup using a vocabulary I was familiar 
with."

Moreover, "we won," Sperberg-McQueen said. "Every major browser supports 
the display of XML and client-side XSLT [Extensible Stylesheet Language 
Transformations].  XML will die when you rip it out of my cold, dead 
hands."


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/

Site design & layout copyright © 1986- CodeGods