[LINK] Web 2.0 apps riddled with holes, warns SPI

Bernard Robertson-Dunn brd at iimetro.com.au
Mon Apr 30 10:14:15 AEST 2007 

Web 2.0 apps riddled with holes, warns SPI
Dynamic apps built using AJAX, SOAP, SOA and Flash pose possible 
security concerns for developers
Bryan Betts (Techworld.com)
27/04/2007 08:30:21
http://www.computerworld.com.au/index.php/id;1095339654;fp;16;fpid;1

New browser-based application technologies are opening new security 
holes, warned SPI Dynamics as it launched a re-engineered version of its 
SOA/Web 2.0 security testing software WebInspect this week.

Brian Cohen, SPI's CEO, said that older testing tools -- including his 
-- were fine for relatively static server-side applications, but are no 
good for modern dynamic apps built using the likes of AJAX, SOAP, SOA 
and Flash.

"These applications are not static, or even close to it," he said. "The 
underpinnings of the web have fundamentally changed. HTML and CGI 
applications were predictable, but now the environment is much more 
complicated to interpret - it is dynamic."

Cohen said that SPI had to completely redesign the platform that 
underlies the latest version of WebInspect so it can analyze Web 2.0 
applications, looking at client-side security as well as server-side.

The danger is more widespread than users might think, said James 
Spooner, technical director of Lodoga Security, which beta-tested 
WebInspect 7.

"Proper corporate applications are using many of these features in quite 
subtle ways," he said. "For example, we've worked on a government 
application running single-sign on and data validation, all on web 
services and made up of 15 different applications.

"Traditional test tools look for menu systems and so on, but in AJAX, 
Javascript runs the show and you're handing over trust to the client - 
it's incredibly scary.

He continued, "Web developers are far too confident in the ability of 
their tools to protect them. The thing is, the existing toolkits are 
great for developing, but they don't do anything to stop you writing 
insecure code."

The risks are not just technical -- they also come from who's driving 
application development now and they come from later in the application 
lifecycle, Cohen added.

"Some aren't even written by engineers, they're being done by 
marketing," he said, noting that as applications evolve over time, it is 
all too easy for developers to code quick fixes onto the page without 
considering the security implications.

He said that as well as scanning for vulnerable application logic during 
development and testing apps before they go live, users need to 
regularly test them after they go live as well. "Most applications 
aren't AJAX, but most now use some element that uses AJAX," he warned.

-- 

Regards
brd

Bernard Robertson-Dunn
Sydney Australia
brd at iimetro.com.au

More information about the Link mailing list