IBM unveils technology to secure mashups

'Smash' tool can keep malicious code out of organizations by separating data sources

IBM this week rolled out new technology aimed at securing mashups -- Web applications that business users can build themselves by linking information streams from multiple sources.

IBM also disclosed that it has donated the new technology, codenamed "Smash" (for secure mashup), to the OpenAjax Alliance of vendors working to create standards for interoperable Asynchronous JavaScript and XML technologies. Smash allows information from different sources to communicate, but it keeps them separated so that malicious code that may be contained in one data source is kept out of enterprise systems, IBM said.

"People like to take gadgets and widgets and be able to build up their own dashboards, which is great," said Rod Smith, an IBM fellow and vice president. "It is empowering people to tune their information."

But he added, while users may assume that a mashup comes from the source the widget says it comes from, it could contain malicious code that could phish for information from a user's browser or from communications with a server, he added.

"We know people are going to go down this path, [so] how can we make sure they can do it in a more secure manner?" Smith said. "[Smash] is a little runtime piece [of code] that works in AJAX. As components come in through gadgets, it can proactively check to see if they are trustable. You'll be able to authenticate these pieces. As they're put on a page and they interact with other widgets on that page, you'll know they came from the right sources at that point."

Smith said that Smash is mainly aimed to be proactive protection against such attacks, which he said are not common today. However, a research report released by Gartner last month titled "The Creative and Insecure World of Web 2.0" noted that the potential for security risks increases as more business users morph into application developers by building mashups.

Because mashups enable masses of individuals within a company to become developers of applications that use their own versions of business rules and practices, they create risks for companies, the report said.

"Web 2.0 enables building applications by grabbing readily available content from someone else's Web site, a useful application from another site, design templates from one user community and [a] runtime platform from another user community," the report noted. "All this is done in a rapid application development style that often gets distorted and transformed into a style where developers begin programming before they start thinking. Lack of application development expertise will lead them to develop vulnerable applications."

Gartner advised that companies take several steps to deal with the vulnerabilities that can result from mashups, including the following:

Base all enterprise practices on the assumption that Web-based content and software will be affected by Web 2.0, used in unexpected ways, and abused and attacked by outsiders and insiders.

Validate all input into applications, browsers and databases; obfuscate code that contains valuable IP information; and filter outbound information.

Expand the definition of vulnerability assessment to include the detection of external users of corporate content through mashups.

Develop process guidelines and tool support for vulnerability testing of Web 2.0 applications.

Demand security and IP certificates for every piece of software that open-source software communities and software vendors give or sell.

Do not accept applications developed by external service providers, open-source software communities or business partners unless they are tested for security vulnerabilities.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Heather Havenstein

Computerworld

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?