IBM unveils technology to secure mashups

'Smash' tool can keep malicious code out of organizations by separating data sources

IBM this week rolled out new technology aimed at securing mashups -- Web applications that business users can build themselves by linking information streams from multiple sources.

IBM also disclosed that it has donated the new technology, codenamed "Smash" (for secure mashup), to the OpenAjax Alliance of vendors working to create standards for interoperable Asynchronous JavaScript and XML technologies. Smash allows information from different sources to communicate, but it keeps them separated so that malicious code that may be contained in one data source is kept out of enterprise systems, IBM said.

"People like to take gadgets and widgets and be able to build up their own dashboards, which is great," said Rod Smith, an IBM fellow and vice president. "It is empowering people to tune their information."

But he added, while users may assume that a mashup comes from the source the widget says it comes from, it could contain malicious code that could phish for information from a user's browser or from communications with a server, he added.

"We know people are going to go down this path, [so] how can we make sure they can do it in a more secure manner?" Smith said. "[Smash] is a little runtime piece [of code] that works in AJAX. As components come in through gadgets, it can proactively check to see if they are trustable. You'll be able to authenticate these pieces. As they're put on a page and they interact with other widgets on that page, you'll know they came from the right sources at that point."

Smith said that Smash is mainly aimed to be proactive protection against such attacks, which he said are not common today. However, a research report released by Gartner last month titled "The Creative and Insecure World of Web 2.0" noted that the potential for security risks increases as more business users morph into application developers by building mashups.

Because mashups enable masses of individuals within a company to become developers of applications that use their own versions of business rules and practices, they create risks for companies, the report said.

"Web 2.0 enables building applications by grabbing readily available content from someone else's Web site, a useful application from another site, design templates from one user community and [a] runtime platform from another user community," the report noted. "All this is done in a rapid application development style that often gets distorted and transformed into a style where developers begin programming before they start thinking. Lack of application development expertise will lead them to develop vulnerable applications."

Gartner advised that companies take several steps to deal with the vulnerabilities that can result from mashups, including the following:

Base all enterprise practices on the assumption that Web-based content and software will be affected by Web 2.0, used in unexpected ways, and abused and attacked by outsiders and insiders.

Validate all input into applications, browsers and databases; obfuscate code that contains valuable IP information; and filter outbound information.

Expand the definition of vulnerability assessment to include the detection of external users of corporate content through mashups.

Develop process guidelines and tool support for vulnerability testing of Web 2.0 applications.

Demand security and IP certificates for every piece of software that open-source software communities and software vendors give or sell.

Do not accept applications developed by external service providers, open-source software communities or business partners unless they are tested for security vulnerabilities.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Heather Havenstein

Computerworld
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?