Caution, Developers: SOA And Ajax Open To AttackCaution, Developers: SOA And Ajax Open To Attack

Popular programming initiatives such as services-oriented architectures and dynamic Web user interfaces are destined to fail if they're not developed with security in mind.

This was the sentiment Tuesday at the Software Security Summit in Baltimore, where application security vendors promised that those who forget past software development mistakes--particularly when cool new features trumped security--are destined to repeat those mistakes on the Web.

"I want people to think about input validation, error handling, and other security matters before they create a Web service," Jeff Williams, CEO of security services firm Aspect Security, said Tuesday. Otherwise, SOAs that push complexity behind the scenes and emphasize application interoperability will create of a system of insecure services sharing information.

Although the vendors here had an obvious self-interest in stirring things up, concerns over security aspects of Web services have been growing for several years. Simply put, it's just more difficult to bake-in protection in a distributed world.

In a worst-case scenario, instead of an attack on a Web application exposing some credit-card numbers, an attack could expose all credit card numbers, Williams added, pointing out that Web services only work "when you can trust the relationships between applications."

Dynamic Web coding languages such as Ajax, or Asynchronous JavaScript and XML, also require careful attention to security. Ajax applications access data in smaller increments, which lets them serve pages faster and provide the user with a smoother experience. "This is a huge hurdle for developing and testing securely," says Joe Basirico, manager of technology and security services with Security Innovation, a provider of software security testing and training services.

"If an attacker can figure out your Ajax data request layout, which depends on factors such as the type of data being requested and the permissions needed to access data, they can figure out how to access data without having the authorization to do so," says Basirico, who spent two years as a programmer with Microsoft.

Ajax is the technology underlying Google Maps, GMail, Microsoft's own MSN.com and Hotmail. Ajax allows a Web application to interact with a user without constantly downloading HTML pages, making software on the Web act like it's running locally on a PC.

This technology has captured the imagination of companies throughout the software industry. IBM in late January announced an "Open" Ajax initiative and donated software that allows developers to work with Ajax on the Eclipse programmer's workbench. This move was backed by a number of significant software and Web companies, including BEA Systems, Google, Mozilla, Novell, Oracle, Red Hat, and Yahoo. Open Ajax members met last month to advance their plans for standardized, openly developed specifications and tools for Ajax. Microsoft is even planning to offer Ajax-style programming technology code-named Atlas, which will be included in the next version of Visual Studio.

But attacks within Ajax environments are already a reality. A teenage programmer known as "Samy" last year inserted code in his MySpace Web site user profile so that those viewing his profile would have their own profiles corrupted. "The MySpace hack was the first Ajax worm and consisted of a cross-site script that automatically added [Samy's] profile to the friends list of many MySpace users," says Caleb Sima, chief technology officer of Spi Dynamics, a provider of Web application security and testing technology.

In an Ajax environment, the application makes frequent calls to a database, a characteristic that "increases your attack surface," Sima says.

With a more conventional Web application, a user would, for example, fill out an online form to apply for a new bank account and submit that form for approval. A programmer could add Ajax or Web services capabilities to that application by immediately alerting the user if information is entered improperly in different fields, even before the form is submitted. "These Web services are all making calls to a database," Sima says. "Most developers will throw a Web service up, make a database call that is probably SQL injectable, and have no session authentication to protect the transaction."

Such oversights compromise the security of Web applications as well as the databases they access.