Welcome!

Machine Learning Authors: Liz McMillan, William Schmarzo, Zakia Bouachraoui, Yeshim Deniz, Kevin Benedict

Related Topics: Machine Learning

Machine Learning : Article

AJAX Security

Proper methods and best practices

In biology they are called proviruses, chunks of malicious genetic code encased by proteins. When one invades a cell, it embeds itself in the host's own genes. Treated as the cell's own DNA, the viral DNA lies dormant, undetected. Then, something flips the switch .The viral code is opened up and parsed, initiating the events that form a new generation of hundreds or thousands of copies, destroying the original host cell, and ready to continue the cycle.

Whether for a living cell or an AJAX application, effective security can be a matter of life or death. And whether the invader is a piece of viral DNA or a string of evil-minded code, the effects can be devastating. This article will discuss how such code can break into a Web application, embed itself in the application's data, and quickly spread elsewhere, much as a virus does. In each of these situations the article will present proper methods and best practices that can help beat the invading code. For our application we will imagine a social tagging site like a simpler Del.icio.us. The bad code in question will take various forms, and will be called either malicious code, exploit code, or simply exploit.

First, I should explain why the analogy of a cell is used. In many ways, these tiniest entities of life are very similar to Web applications, with many shared similarities.

Both:

  • May store and use massive amounts of data (organic molecules or electronic databases).
  • Periodically retrieve and use that data to carry out tasks.
  • Modify the data, (gene regulation or database queries such as ‘insert' and ‘update')
  • Security isn't a laughing matter for a cell or a Web app.

Security first takes effect at an application's entry points, the gates of the fortress, the receptors on the cell. Until recently, most of the external input a typical Web app got came from data manually entered by people, whether through forms or entering URLs. With the advent of public APIs, Web Services, and mashups, communication between Web sites has become commonplace. To start, let's go over some ways our social tagging application gets input:

  • Data for user profiles
  • Creating or updating lists of tags
  • Adding/categorizing Web sites or pages
  • Any "social" interactions
    -  Managing friends
    -  Sharing tags or links
    -  Rating items or sending recommendations
  • Data sent in through its public API

Each of these actions or events can pose a threat to our tagging application since they all involve a change to the data. It's here that an exploit starts its journey.

Let's go back to the cell analogy. Viruses never actively hunt or chase a cell, they simply move about until they bump into something that fits them. Small variations in the genes can make one variant of the virus more successful at its job than others. It's natural selection at its most efficient. But what significance does this have for security?

More Stories By Tamreen Khan

Tamreen Khan is the architect of the jPOP framework and founder of Scriptex Labs. He has experience at using PHP in both classic and unconventional ways. Tamreen continues to develop the framework as well as taking on new challenges, lately it has been procedurally generating Javascript code.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


CloudEXPO Stories
In his general session at 21st Cloud Expo, Greg Dumas, Calligo’s Vice President and G.M. of US operations, discussed the new Global Data Protection Regulation and how Calligo can help business stay compliant in digitally globalized world. Greg Dumas is Calligo's Vice President and G.M. of US operations. Calligo is an established service provider that provides an innovative platform for trusted cloud solutions. Calligo’s customers are typically most concerned about GDPR compliance, application performance guarantees & data privacy.
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with Tintri's web services architecture and APIs. Impress your DevOps team with smart and autonomous infrastructure.
In today's enterprise, digital transformation represents organizational change even more so than technology change, as customer preferences and behavior drive end-to-end transformation across lines of business as well as IT. To capitalize on the ubiquitous disruption driving this transformation, companies must be able to innovate at an increasingly rapid pace.
In his session at 21st Cloud Expo, James Henry, Co-CEO/CTO of Calgary Scientific Inc., introduced you to the challenges, solutions and benefits of training AI systems to solve visual problems with an emphasis on improving AIs with continuous training in the field. He explored applications in several industries and discussed technologies that allow the deployment of advanced visualization solutions to the cloud.
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker containers gain prominence. He explored these challenges and how to address them, while considering how containers will influence the direction of cloud computing.