Browser As Your Company’s Outer-Most Application Edge

Rich Internet Applications deliver increasing functionality, and with it, increasing amounts of sensitive information, out to end-user’s browsers.  Too often this is a browser and client-platform wasteland without control or consistency. How can we protect our information assets and brand?

More and more regulated personal or health-related information, more valuable intellectual property, more corporate secrets, are reaching our browsers.  As more of our application infrastructure is extended into end-user browsers, demonstrating a threshold level of due diligence is getting more complicated.

Remember when the threshold seemed to be the presence of a top-tier firewall at your Internet perimeter?  Or when a DMZ was enough?  Then hardened web servers, SSL encryption, infrastructure to provide increasingly sophisticated authentication schemes and session management, and more…  The latest battle-ground has been the applications themselves.

Browse the resources at OWASP.org or google ‘web “application security” vulnerabilities 2008‘.  Application-layer vulnerabilities are consuming a greater percentage of the active Internet attack surface.  Microsoft recently reported that 90% of vulnerabilities discovered by researchers were in applications.  They also report that nearly 50% of all vulnerabilities are now rated HIGH severity or higher.

As we extend more of our application functionality, and more of our sensitive and valuable information out of the enterprise into end-user browsers, how are we dealing with the risks associated with that environment?  The “Browser Security Handbook,” written and maintained by googler Michal Zalewski, is an extensive and exhaustive resources for your application architects, designers, coders, quality assurance personnel, along with your application security engineers and assessment staff [more than 75 pages of lucid, often spartan text].  When control matters, the many differences along the many facets of browser technology need to be effectively dealt with. There is no magic to save us.  This is, and is going to continue to be really hard work.  The additional challenge will be to find ways to wring competitive advantage and profits out of these investments in application security.

I believe that this handbook stands alone.  Contrary to what most of us would assume, much of this resource is simply excellent writing.  No waste, some beautiful sentences and paragraphs — even when writing about “Document Object Model” or “Browser-side Javascript.”  Michal Zalewski’s work is a joy to read.  Because this resource now exists, we all have one less excuse to avoid the inevitable slog through application security enhancements and upgrades, quality/vulnerability testing, and financing the whole endeavour.

— References —

Open Web Application Security Project. http://www.owasp.org

Microsoft Security Intelligence Report volume 5 ( January – June 2008 ) http://www.microsoft.com/downloads/details.aspx?FamilyId=B2984562-47A2-48FF-890C-EDBEB8A0764C&displaylang=en

“Browser Security Handbook.” http://code.google.com/p/browsersec/wiki/Main

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: