The key to preventing security issues is developer training and practices, Asleson said. "I think it would be naive for anyone to say that there are no security problems," he said. "There are a lot of things that developers can do that can open all kinds of security holes."
AJAX itself doesn't introduce vulnerabilities, Chess said--it just makes it easier to make old mistakes. The software industry is exiting the desktop applications era, where buffer overflows were the big security problem. Now it's JavaScript in AJAX that is raising concerns. "It's an amazing return to the past," he said.
But Asleson, who aside from authoring two AJAX books is also a developer, disagrees with the notion that Web developers neglect security. "In some ways, there are some parallels between what we saw on the desktop 10 years or so ago. But back then, security really wasn't really on anyone's radar, and today, it very much is," he said.
That sentiment was echoed by Google and AOL, two of the Web's giants. Google is a big AJAX fan, Douglas Merrill, vice president of engineering at Google, said in an interview via e-mail.
"In AJAX development, like all software development, it's important to carefully address security and build products with the user's best interests in mind," Merrill said. One of the benefits of Web-based applications, he noted, is that deploying fixes is typically fast and easy, requiring no action from the user.
Though Google hasn't been completely free of Web site flaws, security is part of the design, development, delivery and operation of its products and services, Merrill said.
"In our experience, processes where security is 'done' only by a security team are not scalable and tend to be ineffective," he said. In contrast, we strive to integrate security into the overall product development process."
Bigger is better?
AOL said it believes large Web companies do a
better job at security than small ones that are just starting out. "We have the
advantage of more than two decades of experience and a large professional
security team to help us keep new and existing products secure," company
spokesman Andrew Weinstein said.
There is a rush to try and create the next MySpace, Flickr or Google Maps, Hoffman said, and there aren't many barriers to entry. But simply building the Web site is not the end of the development work, he added. Developers have to be security-conscious, about both bugs and the unanticipated malicious use of built-in features, he said.
In the case of Yahoo Mail, the Yamanner worm that spread last month took advantage of the software's ability to include JavaScript in messages, experts said. When the message was opened, a script ran, instructing the e-mail service to send the contacts in the online address book to a remote server. The worm also had the service mail the malicious message to all the people on that list.
Yahoo said it strives to protect members' information and to help with security across the industry. "We have a dedicated team of experts that ensure security is top-of-mind among our engineers and also help developers create secure services through a variety of methods throughout the engineering process, including developer education, infrastructure, reviews and tools," a company representative said.
At MySpace, last October's Samy worm is considered one of the first to exploit a cross-site scripting flaw. It exploited vulnerabilities in the MySpace site to add a million users to the author's "friends" list. When a MySpace user viewed an infected profile, his profile would in turn be infected and become infectious.
Both attacks were relatively innocent. But experts are cautioning that such flaws could be used in much more serious incidents. "I don't think the attackers, or the defenders, are up on Ajax yet," Chess said.
The burden rests on Web site developers to make sure their users and servers stay safe, experts said. Internet users can protect themselves to some extent using PC security software, such as virus and phishing shields. But such applications are typically most effective after an attack has surfaced, because they rely on attack signatures (the "fingerprint" of the threat) or blacklists of known malicious sites.
"The end-user ends up getting screwed, but the Web application really has the vulnerability in it," Hoffman said. "The only people who can fix the problem are the actual people who run the Web applications."
Play video
There are currently no comments for this post.