IBM unveils technology to secure mashups

'Smash' tool can keep malicious code out of organizations by separating data sources

IBM this week rolled out new technology aimed at securing mashups -- Web applications that business users can build themselves by linking information streams from multiple sources.

IBM also disclosed that it has donated the new technology, codenamed "Smash" (for secure mashup), to the OpenAjax Alliance of vendors working to create standards for interoperable Asynchronous JavaScript and XML technologies. Smash allows information from different sources to communicate, but it keeps them separated so that malicious code that may be contained in one data source is kept out of enterprise systems, IBM said.

"People like to take gadgets and widgets and be able to build up their own dashboards, which is great," said Rod Smith, an IBM fellow and vice president. "It is empowering people to tune their information."

But he added, while users may assume that a mashup comes from the source the widget says it comes from, it could contain malicious code that could phish for information from a user's browser or from communications with a server, he added.

"We know people are going to go down this path, [so] how can we make sure they can do it in a more secure manner?" Smith said. "[Smash] is a little runtime piece [of code] that works in AJAX. As components come in through gadgets, it can proactively check to see if they are trustable. You'll be able to authenticate these pieces. As they're put on a page and they interact with other widgets on that page, you'll know they came from the right sources at that point."

Smith said that Smash is mainly aimed to be proactive protection against such attacks, which he said are not common today. However, a research report released by Gartner last month titled "The Creative and Insecure World of Web 2.0" noted that the potential for security risks increases as more business users morph into application developers by building mashups.

Because mashups enable masses of individuals within a company to become developers of applications that use their own versions of business rules and practices, they create risks for companies, the report said.

"Web 2.0 enables building applications by grabbing readily available content from someone else's Web site, a useful application from another site, design templates from one user community and [a] runtime platform from another user community," the report noted. "All this is done in a rapid application development style that often gets distorted and transformed into a style where developers begin programming before they start thinking. Lack of application development expertise will lead them to develop vulnerable applications."

Gartner advised that companies take several steps to deal with the vulnerabilities that can result from mashups, including the following:

Base all enterprise practices on the assumption that Web-based content and software will be affected by Web 2.0, used in unexpected ways, and abused and attacked by outsiders and insiders.

Validate all input into applications, browsers and databases; obfuscate code that contains valuable IP information; and filter outbound information.

Expand the definition of vulnerability assessment to include the detection of external users of corporate content through mashups.

Develop process guidelines and tool support for vulnerability testing of Web 2.0 applications.

Demand security and IP certificates for every piece of software that open-source software communities and software vendors give or sell.

Do not accept applications developed by external service providers, open-source software communities or business partners unless they are tested for security vulnerabilities.

Join the newsletter!

Or
Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Heather Havenstein

Computerworld
Show Comments

Essentials

Mobile

Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >

Exec

Budget

Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?