Sprajax Release Covered by SearchAppSecurity.com

I was interviewed for this article on AJAX security by SearchAppSecurity.com.  It provides a basic overview of some of the threats involved in building AJAX-enabled applications.  They also spoke with Mandeep Khera of Cenzic.

One thing to note: Charles Kolodgy from IDC made a comment that he was concerned about “hackers” having access to tools released as open source.  I thought this had been laid to rest a long time ago, but to restate it here: the “black hat” community has access to underground tools just like this as well as cracked versions of commercial software.  The solution to the problem isn’t to not release open source (or other) security tools so that folks can’t find vulnerabilities.  The solution is to craft systems, networks and applications that don’t have these security defects.  As I mentioned in the article – if you’re finding vulnerabilities with sprajax you are much farther down the road than you ought to be.  What you really need to do is to work risk assessments and secure coding techniques into your methodology.  Finding and patching these problems at the end of the process is way more expensive than getting it right the first time.

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *