Web 2.0 apps riddled with holes, warns SPI

Dynamic apps built using AJAX, SOAP, SOA and Flash pose possible security concerns for developers

New browser-based application technologies are opening new security holes, warned SPI Dynamics as it launched a re-engineered version of its SOA/Web 2.0 security testing software WebInspect this week.

Brian Cohen, SPI's CEO, said that older testing tools -- including his -- were fine for relatively static server-side applications, but are no good for modern dynamic apps built using the likes of AJAX, SOAP, SOA and Flash.

"These applications are not static, or even close to it," he said. "The underpinnings of the web have fundamentally changed. HTML and CGI applications were predictable, but now the environment is much more complicated to interpret - it is dynamic."

Cohen said that SPI had to completely redesign the platform that underlies the latest version of WebInspect so it can analyze Web 2.0 applications, looking at client-side security as well as server-side.

The danger is more widespread than users might think, said James Spooner, technical director of Lodoga Security, which beta-tested WebInspect 7.

"Proper corporate applications are using many of these features in quite subtle ways," he said. "For example, we've worked on a government application running single-sign on and data validation, all on web services and made up of 15 different applications.

"Traditional test tools look for menu systems and so on, but in AJAX, Javascript runs the show and you're handing over trust to the client - it's incredibly scary.

He continued, "Web developers are far too confident in the ability of their tools to protect them. The thing is, the existing toolkits are great for developing, but they don't do anything to stop you writing insecure code."

The risks are not just technical -- they also come from who's driving application development now and they come from later in the application lifecycle, Cohen added.

"Some aren't even written by engineers, they're being done by marketing," he said, noting that as applications evolve over time, it is all too easy for developers to code quick fixes onto the page without considering the security implications.

He said that as well as scanning for vulnerable application logic during development and testing apps before they go live, users need to regularly test them after they go live as well. "Most applications aren't AJAX, but most now use some element that uses AJAX," he warned.

Join the PC World newsletter!

Error: Please check your email address.

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Bryan Betts

Techworld.com

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?