AJAX and Security, Revisited

In the last two days I’ve started to notice a number of articles detailing security in an AJAX application. Apparently there are a lot of people out there touting AJAX as this super-secure way of serving content on the web. And then there are those that are touting it as less secure than traditional DHTML sites. Mike Kemp of Heise Security warns that AJAX can open you up to attack while Jeremiah Grossman of Whitehat Security explains that AJAX is no less secure than traditional DHTML.

But let’s look at the reality of the situation. Regardless of the language and methodology used, security still breaks down into some fairly straightforward concepts :

    1. Never trust the client
      • In simple terms, consider the user of the application to be the enemy. Double check everything the user sends you and make sure that what they send is acceptable. Be as restrictive as possible because even the simplest mistake can be costly.
    2. Design using the Defense In Depth approach
      • Defense in depth is a security strategy in which you use multiple layers of defense to prevent attacks. This type of strategy goes beyond the web page you are trying to serve and encompasses the network as well. Simply put, you design your security to run at each layer. What this means is that instead of just checking input at the server level you instead check it at every layer the data interacts with. While this means more code, it can also mean more security. If someone was able to get through one layer, it doesn’t mean they’ll get through the next.
    3. Test Test Test
      • Before you release your application, you test it. Add security penetration testing to your test suite. Attack the application from every angle you can think of and, if possible, have others attack it as well. It’s very hard for a programmer to check his own work for security flaws because he knows what the program is designed to do and what security code has been put in place. Having someone else test your application can reveal security and application bugs that you as a developer would never find.
    4. Keep up with current technology
      • Keeping up with technology is one of the best ways to learn how to secure your applications. I highly recommend reading security related programming books, blogs, and news to find out about new techniques, reinforce old techniques, and, most importantly, to keep security at the forefront of your mind. If you’re not thinking security, then you’re likely to make simple mistakes that can cost a lot in the long run.
    5. Make sure your tools are up to date
      1. The tools you use can be the source of security bugs if you don’t keep them up to date. A great example of this are the APIs you use within your programs. If you link to old versions of the APIs then you may be susceptible to security and application bugs that were fixed in later releases. APIs are usually a black box item, so make sure you check into the API before deciding upon it’s use.

These are just a few ways to make sure you’re maximizing security in your code. There are many other lists out there, but you’ll find that they all come down to the same few basic principles. Never think that your program is 100% secure, there’s always a way to attack it. You just need to be more diligent than the attackers.

AJAX : It’s not just for cleaning anymore…

There’s a new or, rather, old programming language.. wait.. language? Hrm.. mixture of concepts is more like it. Anyways, there’s this new way of doing things on the web. It’s called AJAX which is an acronym for Asynchronous Javascript and XML. Based on the XMLHttpRequest object, it allows a web programmer to transfer information between the server and the web browser without requiring a complete reload of the web page. Pretty nifty stuff.

 

Dubbed Web 2.0, this “new” technology is revolutionizing the way users interact with the web. More than a mere buzzword, AJAX is sweeping the web and offering up some very powerful web applications. Gmail has been using AJAX for a while now. AJAX, combined with DHTML, allows you to “build” your Google homepage, and allows that same page to be updated on the fly without reloading the entire page. More recently, sites such as Netvibes, Pageflakes, and Eskobo offer “Web Desktops”. Other sites such as Yahoo Maps and Google Local offer web based mapping software without the arrow clicking and page reloading.

I’ve purchased a book on AJAX to enhance my own knowledge of this powerful web development tool. It’s definitely an intruiging concept and it seems simple enough up front, but extremely powerful when you get deep into it. Stay tuned for more!!!