I was interviewed for this article on AJAX security by SearchAppSecurity.com. It provides a basic overview of some of the threats involved in building AJAX-enabled applications. They also spoke with Mandeep Khera of Cenzic.
One thing to note: Charles Kolodgy from IDC made a comment that he was concerned about “hackers” having access to tools released as open source. I thought this had been laid to rest a long time ago, but to restate it here: the “black hat” community has access to underground tools just like this as well as cracked versions of commercial software. The solution to the problem isn’t to not release open source (or other) security tools so that folks can’t find vulnerabilities. The solution is to craft systems, networks and applications that don’t have these security defects. As I mentioned in the article – if you’re finding vulnerabilities with sprajax you are much farther down the road than you ought to be. What you really need to do is to work risk assessments and secure coding techniques into your methodology. Finding and patching these problems at the end of the process is way more expensive than getting it right the first time.
–Dan
dan _at_ denimgroup.com