Rich Internet Applications deliver increasing functionality, and with it, increasing amounts of sensitive information, out to end-user’s browsers. Too often this is a browser and client-platform wasteland without control or consistency. How can we protect our information assets and brand?
More and more regulated personal or health-related information, more valuable intellectual property, more corporate secrets, are reaching our browsers. As more of our application infrastructure is extended into end-user browsers, demonstrating a threshold level of due diligence is getting more complicated.
Remember when the threshold seemed to be the presence of a top-tier firewall at your Internet perimeter? Or when a DMZ was enough? Then hardened web servers, SSL encryption, infrastructure to provide increasingly sophisticated authentication schemes and session management, and more… The latest battle-ground has been the applications themselves.
Browse the resources at OWASP.org or google ‘web “application security” vulnerabilities 2008‘. Application-layer vulnerabilities are consuming a greater percentage of the active Internet attack surface. Microsoft recently reported that 90% of vulnerabilities discovered by researchers were in applications. They also report that nearly 50% of all vulnerabilities are now rated HIGH severity or higher.
As we extend more of our application functionality, and more of our sensitive and valuable information out of the enterprise into end-user browsers, how are we dealing with the risks associated with that environment? The “Browser Security Handbook,” written and maintained by googler Michal Zalewski, is an extensive and exhaustive resources for your application architects, designers, coders, quality assurance personnel, along with your application security engineers and assessment staff [more than 75 pages of lucid, often spartan text]. When control matters, the many differences along the many facets of browser technology need to be effectively dealt with. There is no magic to save us. This is, and is going to continue to be really hard work. The additional challenge will be to find ways to wring competitive advantage and profits out of these investments in application security.
— References —
Open Web Application Security Project. http://www.owasp.org
Microsoft Security Intelligence Report volume 5 ( January – June 2008 ) http://www.microsoft.com/downloads/details.aspx?FamilyId=B2984562-47A2-48FF-890C-EDBEB8A0764C&displaylang=en
“Browser Security Handbook.” http://code.google.com/p/browsersec/wiki/Main