Mashup Security
Technology Review (03/31/08) Naone, Erica
As a growing number of tools are developed to help people create their own online mashups, experts are examining how to eliminate mashup security risks. OpenAjax Alliance cofounder David Boloker says that as mashups become more complex they start incorporating computer code from multiple sources, which may include insecure code that could jeopardize a company's or user's systems. Web browsers were not designed with mashups in mind, Boloker says. Browsers contain a security feature called the same-origin policy that is intended to keep malicious code hosted on one site from obtaining information from another site. However, same-origin security forces Web applications to either sacrifice security or functionality, says Microsoft Research's Helen Wang. Wang says that when a Web site creator embeds code written by a third party the same-origin policy no longer offers any protection. She has been working on solutions that provide a way for browsers to recognize code that comes from a third party and to treat that code differently. One solution is to enclose third-party code in a "sandbox" tag, which would allow the Web site to use the code but treat it as unauthorized content, with no authority outside the sandbox. IBM recently released a security tool called SMash that allows content from multiple sources to be displayed on a single page, and allows them to communicate safely. A secure communication channel monitors information sent between tools while maintaining their separate identities and sets of permissions.
Click Here to View Full Article
No comments:
Post a Comment