Welcome!

Machine Learning Authors: Zakia Bouachraoui, Liz McMillan, Roger Strukhoff, Pat Romanski, Carmen Gonzalez

Related Topics: Machine Learning

Machine Learning : Article

AJAX Security

Proper methods and best practices

In biology they are called proviruses, chunks of malicious genetic code encased by proteins. When one invades a cell, it embeds itself in the host's own genes. Treated as the cell's own DNA, the viral DNA lies dormant, undetected. Then, something flips the switch .The viral code is opened up and parsed, initiating the events that form a new generation of hundreds or thousands of copies, destroying the original host cell, and ready to continue the cycle.

Whether for a living cell or an AJAX application, effective security can be a matter of life or death. And whether the invader is a piece of viral DNA or a string of evil-minded code, the effects can be devastating. This article will discuss how such code can break into a Web application, embed itself in the application's data, and quickly spread elsewhere, much as a virus does. In each of these situations the article will present proper methods and best practices that can help beat the invading code. For our application we will imagine a social tagging site like a simpler Del.icio.us. The bad code in question will take various forms, and will be called either malicious code, exploit code, or simply exploit.

First, I should explain why the analogy of a cell is used. In many ways, these tiniest entities of life are very similar to Web applications, with many shared similarities.

Both:

  • May store and use massive amounts of data (organic molecules or electronic databases).
  • Periodically retrieve and use that data to carry out tasks.
  • Modify the data, (gene regulation or database queries such as ‘insert' and ‘update')
  • Security isn't a laughing matter for a cell or a Web app.

Security first takes effect at an application's entry points, the gates of the fortress, the receptors on the cell. Until recently, most of the external input a typical Web app got came from data manually entered by people, whether through forms or entering URLs. With the advent of public APIs, Web Services, and mashups, communication between Web sites has become commonplace. To start, let's go over some ways our social tagging application gets input:

  • Data for user profiles
  • Creating or updating lists of tags
  • Adding/categorizing Web sites or pages
  • Any "social" interactions
    -  Managing friends
    -  Sharing tags or links
    -  Rating items or sending recommendations
  • Data sent in through its public API

Each of these actions or events can pose a threat to our tagging application since they all involve a change to the data. It's here that an exploit starts its journey.

Let's go back to the cell analogy. Viruses never actively hunt or chase a cell, they simply move about until they bump into something that fits them. Small variations in the genes can make one variant of the virus more successful at its job than others. It's natural selection at its most efficient. But what significance does this have for security?

More Stories By Tamreen Khan

Tamreen Khan is the architect of the jPOP framework and founder of Scriptex Labs. He has experience at using PHP in both classic and unconventional ways. Tamreen continues to develop the framework as well as taking on new challenges, lately it has been procedurally generating Javascript code.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


CloudEXPO Stories
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected path for IoT innovators to scale globally, and the smartest path to cross-device synergy in an instrumented, connected world.
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
ScaleMP is presenting at CloudEXPO 2019, held June 24-26 in Santa Clara, and we’d love to see you there. At the conference, we’ll demonstrate how ScaleMP is solving one of the most vexing challenges for cloud — memory cost and limit of scale — and how our innovative vSMP MemoryONE solution provides affordable larger server memory for the private and public cloud. Please visit us at Booth No. 519 to connect with our experts and learn more about vSMP MemoryONE and how it is already serving some of the world’s largest data centers. Click here to schedule a meeting with our experts and executives.
Darktrace is the world's leading AI company for cyber security. Created by mathematicians from the University of Cambridge, Darktrace's Enterprise Immune System is the first non-consumer application of machine learning to work at scale, across all network types, from physical, virtualized, and cloud, through to IoT and industrial control systems. Installed as a self-configuring cyber defense platform, Darktrace continuously learns what is ‘normal' for all devices and users, updating its understanding as the environment changes.
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the modern business digitalization solutions. Achieve up to 50% early-stage technological process development cost cutdown with science and R&D-driven investment strategy with Codete's support.