On 10/9/06, MB Software Solutions <[EMAIL PROTECTED]> wrote:
Courtesy Tom/VFUG:
I am not so sure it is really just AJAX, but instead the trend to put
complete apps on a web and use a (or one of many) browser to use the web
apps.
I'll agree that we can have quite a disagreeable discussion until we
agree on what we are talking about. There are a number of intersecting
technogies here, but they neither insure nor prevent a secure
application.
- SSL/TLS can ensure a secure transport across an untrusted network.
- End-point security is a huge question. If the user is using a
cybercafe computer with keyboard loggers installed (or for that
matter, their home computer with their teen's malware installed), the
application isn't secure. [Note that this applies to "rich client"
installed apps as well as browser-based apps.]
- Let's define secure: are we concerned about the competition getting
your price list (hint: they already know) or about a hostile country
finding out who the spies are? There is no 100% secure configuration.
Security must be in proportion to the risk.
- Javascript running on the client is code that can be read,
reverse-engineered. Trade secrets could be stolen. Same for VFP.
- Are we talking about an "open to the internet" application or a
closed app exposed to users/clients upon authentication and via
encrypted tunnels? There are different levels and variations of
concern.
- Web-based applications have unique threats different from
rich-client apps, and vice-versa. Cross-site scripting ("XSS") is a
big concern: any input supplied from the internet should not be
trusted, and needs to be cleaned very carefully. There are many
variations on XSS and they can be difficult to detect and clean.
- Web- and rich-clients share threats, too: SQL Injection is a problem
everywhere. If you let the user type "NULL' OR 1=1; DROP TABLE
customer" in the password field and don't validate it, you have
security problems.
- In many cases, the biggest threat to an application isn't the
internet or flaws in the rich client app, but disgruntled employees.
(Keep plenty of gruntle in the office.) Printing out the price list
and faxing it to the competitors can be just as damaging as an obscure
flaw in the app. Dumping a database onto a laptop and walking out of
the office wasn't just a problem for the VA; they just got more press.
"Security is a process, not a feature." Javascript introduces
addtional concerns and requires some careful auditing and thought to
avoid exposing additional threats.
--
Ted Roche
Ted Roche & Associates, LLC
http://www.tedroche.com
_______________________________________________
Post Messages to: ProFox@leafe.com
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
