Menu
Web 2.0 apps riddled with holes

Web 2.0 apps riddled with holes

New browser-based application technologies are opening new security holes, warned SPI Dynamics, as it launched a re-engineered version of its SOA/Web 2.0 security testing software Webinspect this week.

Brian Cohen, SPI's CEO, says that older testing tools — including his — were fine for relatively static server-side applications, but are no good for modern dynamic apps built using the likes of AJAX, SOAP, SOA and Flash.

"These applications are not static, or even close to it," he says. "The underpinnings of the web have fundamentally changed. HTML and CGI applications were predictable, but now the environment is much more complicated to interpret — it is dynamic."

Cohen says that SPI had to completely redesign the platform that underlies the latest version of WebInspect so it can analyse Web 2.0 applications, looking at client-side security as well as server-side.

The danger is more widespread than users might think, says James Spooner, technical director of Lodoga Security, which beta-tested Webinspect 7.

"Proper corporate applications are using many of these features in quite subtle ways," he says. "For example, we've worked on a government application running single-sign on and data validation, all on web services and made up of 15 different applications.

"Traditional test tools look for menu systems and so on, but in AJAX, Javascript runs the show and you're handing over trust to the client — it's incredibly scary.

He continued, "Web developers are far too confident in the ability of their tools to protect them. The thing is, the existing toolkits are great for developing, but they don't do anything to stop you writing insecure code."

The risks are not just technical -- they also come from who's driving application development now and they come from later in the application lifecycle, Cohen added.

"Some aren't even written by engineers, they're being done by marketing," he says, noting that as applications evolve over time, it is all too easy for developers to code quick fixes onto the page without considering the security implications.

He says that as well as scanning for vulnerable application logic during development and testing apps before they go live, users need to regularly test them after they go live as well. "Most applications aren't AJAX, but most now use some element that uses AJAX," he warned.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags SPI DynamicsWebinspect 7

Featured

Slideshows

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Meet the winners of the 2020 Reseller News Innovation Awards

Meet the winners of the 2020 Reseller News Innovation Awards

Reseller News honoured the standout players of the New Zealand channel in front of more than 500 technology leaders in Auckland on 21 October, recognising the achievements of top partners, start-ups, vendors, distributors and individuals.

Meet the winners of the 2020 Reseller News Innovation Awards
Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Show Comments