Machine Learning Authors: Elizabeth White, Yeshim Deniz, Zakia Bouachraoui, Liz McMillan, Carmen Gonzalez

Related Topics: Machine Learning

Machine Learning : Article

AJAX Security

Proper methods and best practices

In biology they are called proviruses, chunks of malicious genetic code encased by proteins. When one invades a cell, it embeds itself in the host's own genes. Treated as the cell's own DNA, the viral DNA lies dormant, undetected. Then, something flips the switch .The viral code is opened up and parsed, initiating the events that form a new generation of hundreds or thousands of copies, destroying the original host cell, and ready to continue the cycle.

Whether for a living cell or an AJAX application, effective security can be a matter of life or death. And whether the invader is a piece of viral DNA or a string of evil-minded code, the effects can be devastating. This article will discuss how such code can break into a Web application, embed itself in the application's data, and quickly spread elsewhere, much as a virus does. In each of these situations the article will present proper methods and best practices that can help beat the invading code. For our application we will imagine a social tagging site like a simpler Del.icio.us. The bad code in question will take various forms, and will be called either malicious code, exploit code, or simply exploit.

First, I should explain why the analogy of a cell is used. In many ways, these tiniest entities of life are very similar to Web applications, with many shared similarities.


  • May store and use massive amounts of data (organic molecules or electronic databases).
  • Periodically retrieve and use that data to carry out tasks.
  • Modify the data, (gene regulation or database queries such as ‘insert' and ‘update')
  • Security isn't a laughing matter for a cell or a Web app.

Security first takes effect at an application's entry points, the gates of the fortress, the receptors on the cell. Until recently, most of the external input a typical Web app got came from data manually entered by people, whether through forms or entering URLs. With the advent of public APIs, Web Services, and mashups, communication between Web sites has become commonplace. To start, let's go over some ways our social tagging application gets input:

  • Data for user profiles
  • Creating or updating lists of tags
  • Adding/categorizing Web sites or pages
  • Any "social" interactions
    -  Managing friends
    -  Sharing tags or links
    -  Rating items or sending recommendations
  • Data sent in through its public API

Each of these actions or events can pose a threat to our tagging application since they all involve a change to the data. It's here that an exploit starts its journey.

Let's go back to the cell analogy. Viruses never actively hunt or chase a cell, they simply move about until they bump into something that fits them. Small variations in the genes can make one variant of the virus more successful at its job than others. It's natural selection at its most efficient. But what significance does this have for security?

More Stories By Tamreen Khan

Tamreen Khan is the architect of the jPOP framework and founder of Scriptex Labs. He has experience at using PHP in both classic and unconventional ways. Tamreen continues to develop the framework as well as taking on new challenges, lately it has been procedurally generating Javascript code.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

CloudEXPO Stories
Most modern computer languages embed a lot of metadata in their application. We show how this goldmine of data from a runtime environment like production or staging can be used to increase profits. Adi conceptualized the Crosscode platform after spending over 25 years working for large enterprise companies like HP, Cisco, IBM, UHG and personally experiencing the challenges that prevent companies from quickly making changes to their technology, due to the complexity of their enterprise. An accomplished expert in Enterprise Architecture, Adi has also served as CxO advisor to numerous Fortune executives.
Every organization is facing their own Digital Transformation as they attempt to stay ahead of the competition, or worse, just keep up. Each new opportunity, whether embracing machine learning, IoT, or a cloud migration, seems to bring new development, deployment, and management models. The results are more diverse and federated computing models than any time in our history.
Andrew Keys is co-founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereum.
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throughout enterprises of all sizes.
The dream is universal: heuristic driven, global business operations without interruption so that nobody has to wake up at 4am to solve a problem. Building upon Nutanix Acropolis software defined storage, virtualization, and networking platform, Mark will demonstrate business lifecycle automation with freedom of choice and consumption models. Hybrid cloud applications and operations are controllable by the Nutanix Prism control plane with Calm automation, which can weave together the following: database as a service with Era, micro segmentation with Flow, event driven lifecycle operations with Epoch monitoring, and both financial and cloud governance with Beam. Combined together, the Nutanix Enterprise Cloud OS democratizes and accelerates every aspect of your business with simplicity, security, and scalability.