Welcome!

Machine Learning Authors: Liz McMillan, Pat Romanski, Zakia Bouachraoui, Yeshim Deniz, Elizabeth White

Related Topics: Machine Learning

Machine Learning : Article

AJAX Security

Proper methods and best practices

In biology they are called proviruses, chunks of malicious genetic code encased by proteins. When one invades a cell, it embeds itself in the host's own genes. Treated as the cell's own DNA, the viral DNA lies dormant, undetected. Then, something flips the switch .The viral code is opened up and parsed, initiating the events that form a new generation of hundreds or thousands of copies, destroying the original host cell, and ready to continue the cycle.

Whether for a living cell or an AJAX application, effective security can be a matter of life or death. And whether the invader is a piece of viral DNA or a string of evil-minded code, the effects can be devastating. This article will discuss how such code can break into a Web application, embed itself in the application's data, and quickly spread elsewhere, much as a virus does. In each of these situations the article will present proper methods and best practices that can help beat the invading code. For our application we will imagine a social tagging site like a simpler Del.icio.us. The bad code in question will take various forms, and will be called either malicious code, exploit code, or simply exploit.

First, I should explain why the analogy of a cell is used. In many ways, these tiniest entities of life are very similar to Web applications, with many shared similarities.

Both:

  • May store and use massive amounts of data (organic molecules or electronic databases).
  • Periodically retrieve and use that data to carry out tasks.
  • Modify the data, (gene regulation or database queries such as ‘insert' and ‘update')
  • Security isn't a laughing matter for a cell or a Web app.

Security first takes effect at an application's entry points, the gates of the fortress, the receptors on the cell. Until recently, most of the external input a typical Web app got came from data manually entered by people, whether through forms or entering URLs. With the advent of public APIs, Web Services, and mashups, communication between Web sites has become commonplace. To start, let's go over some ways our social tagging application gets input:

  • Data for user profiles
  • Creating or updating lists of tags
  • Adding/categorizing Web sites or pages
  • Any "social" interactions
    -  Managing friends
    -  Sharing tags or links
    -  Rating items or sending recommendations
  • Data sent in through its public API

Each of these actions or events can pose a threat to our tagging application since they all involve a change to the data. It's here that an exploit starts its journey.

Let's go back to the cell analogy. Viruses never actively hunt or chase a cell, they simply move about until they bump into something that fits them. Small variations in the genes can make one variant of the virus more successful at its job than others. It's natural selection at its most efficient. But what significance does this have for security?

More Stories By Tamreen Khan

Tamreen Khan is the architect of the jPOP framework and founder of Scriptex Labs. He has experience at using PHP in both classic and unconventional ways. Tamreen continues to develop the framework as well as taking on new challenges, lately it has been procedurally generating Javascript code.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


CloudEXPO Stories
The Crypto community has run out of anarchists, libertarians and almost absorbed all the speculators it can handle, the next 100m users to join Crypto need a world class application to use. What will it be? Alex Mashinsky, a 7X founder & CEO of Celsius Network will discuss his view of the future of Crypto.
Docker and Kubernetes are key elements of modern cloud native deployment automations. After building your microservices, common practice is to create docker images and create YAML files to automate the deployment with Docker and Kubernetes. Writing these YAMLs, Dockerfile descriptors are really painful and error prone.Ballerina is a new cloud-native programing language which understands the architecture around it - the compiler is environment aware of microservices directly deployable into infrastructures like Docker and Kubernetes.
In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, will discuss how to use Kubernetes to setup a SaaS infrastructure for your business. Mike Johnston is an infrastructure engineer at Supergiant.io with over 12 years of experience designing, deploying, and maintaining server and workstation infrastructure at all scales. He has experience with brick and mortar data centers as well as cloud providers like Digital Ocean, Amazon Web Services, and Rackspace. His expertise is in automating deployment, management, and problem resolution in these environments, allowing his teams to run large transactional applications with high availability and the speed the consumer demands.
When Enterprises started adopting Hadoop-based Big Data environments over the last ten years, they were mainly on-premise deployments. Organizations would spin up and manage large Hadoop clusters, where they would funnel exabytes or petabytes of unstructured data.However, over the last few years the economics of maintaining this enormous infrastructure compared with the elastic scalability of viable cloud options has changed this equation. The growth of cloud storage, cloud-managed big data environments, and cloud data warehouses like Snowflake, Redshift, BigQuery and Azure SQL DW, have given the cloud its own gravity - pulling data from existing environments. In this presentation we will discuss this transition, describe the challenges and solutions for creating the data flows necessary to move to cloud analytics, and provide real-world use-cases and benefits obtained through adop...
Blockchain has shifted from hype to reality across many industries including Financial Services, Supply Chain, Retail, Healthcare and Government. While traditional tech and crypto organizations are generally male dominated, women have embraced blockchain technology from its inception. This is no more evident than at companies where women occupy many of the blockchain roles and leadership positions. Join this panel to hear three women in blockchain share their experience and their POV on the future of blockchain.