Fear and Loathing (and Uncertainty and Doubt) in Web 2.0

The Port80 folks have just posted about how AJAX applications are no less secure than normal web applications.  They make some good arguments – the best of which is that if developers aren’t paying attention to input validation for web applications they are unlikely to pay attention to input validation for AJAX-enabled applications.   However, AJAX is just so new and exciting we have seen far too many developers who know better go an do stupid stuff when they start building AJAX apps.  The cause: they get too enamored with what they CAN do rather than what they SHOULD do.

The problem isn’t a breakdown in the coding idioms that help to avoid technical security vulnerabilities.  Rather the problem is the breakdown in attack/threat/risk modeling that helps to prevent logical vulnerabilities.  Web 2.0 is new enough that these patterns aren’t well understood yet and that is why AJAX applications are more prone to insecurity than traditional web applications.

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *