Screaming Penguin - Source Does Matter

Security experts warn about the risks of "Premature Ajax-ulation"

The Ars article is short on details, and actually comes off press release sounding to me, but that is odd for Ars (so maybe it's me). Basically two guys from SPI Dynamics gave a Black Hat talk about Ajax and security. Without details, the gist seems to be that Ajax is insecure - because "Ajax techniques tend to shift too much business logic to the client-side, where it can be easily manipulated by users to break or exploit web applications."

To which I say, not so fast. When and where you contact the server does not change the risk. People need to understand that security matters, whether or not you are using Ajax. If you do not validate identity, input, the order of operations (where required), and so on, then yes, things are relatively insecure. But what Ajax pushes to the client is 99.9% benign stuff, stuff the client arguably SHOULD do to offload things and make applications more performant. When the time comes to talk to the server, if there is no security and the client is blindly trusted, then yes problems may arise - but this has absolutely nothing to do with Ajax. Ajax requires discipline to secure, true, but that is neither unique, nor a revelation.

You can make an insecure web app too. Ajax might make it harder for automated tools that proclaim to check your security to operate, true, but it does not itself add to the *actual* risk. The "researchers" that gave the "Ajax-ulation" (which is not the first use of that term) talk are employed at SPI Dynamics - and that company sells such automated scanning tools. I do not know much about the expertise of the speakers, but I have very briefly looked at the SPI Dynamics offerings. I was underwhelmed.

The tools offered by SPI seemed to focus on SQL injection attack scanning, cross site scripting tests, static code analysis, and on convincing executives to feel warm and fuzzy. SQL injection and cross site scripting are real vulnerabilities, but those are so basic that they should be uncovered without the tools. If it gets to the point of the tools and you are vulnerable to those, you need more than a security scanner. As for the static analysis tools, I admittedly did not use them, so I cannot comment. I had a reason though, I use FindBugs, Checkstyle, and PMD. These may (or may not?) have a different focus, but they work well and I doubt a commercial product is going to improve upon them much (it's possible, but I was not impressed with the other aspects, and moved on).

The most troubling thing for me concerning the SPI stuff was not the actual products, but the claims the products made, and the way executives in my organization swallowed them. These tools can "ensure" web security "at every level"? I have never seen such a tool, but I have seen more than my share of lame sales proposals that distract executives like crumpled tin foil scattered in front of a hamster. I don't mean to overly bash SPI, as a complement to many other practices, it makes sense to have such a product, but ONLY as a complement in my opinion.

That is where the entire Ajax spin enters the fray. If you are already working to handle security, practices in place, testing things on your own, so on, then Ajax is not a bigger deal, just a different one. If, on the other hand, you are sold on the fact that an automated scanning tool is handling your security, over design, coding standards, code reviews, tests, etc, and along comes Ajax and renders that tool impotent, then you do have a problem, yes.