Flexible software development approaches such as AJAX are making it easier for developers to deliver fast and responsive interactive Web applications. With AJAX, users no longer have to wait while an entire Web page reloads after they make a change. This performance shift allows new data to be called up almost as soon as it is input.

From a response perspective, it's almost like working with a desktop application.

However, the use of AJAX also opens up a number of security challenges for organizations to evaluate as they consider leveraging this robust architecture to enhance their Web services offerings.

The potential vulnerabilities associated with AJAX are especially important to consider in today's Internet-based business world. Information technology serves as the foundational vehicle for business communications, operations, transactions, and more. Consumers, too, are taking advantage of Internet connections to bank, shop, manage accounts, and interact with their institutions of choice from the comfort of their own homes.

At the same time, threats to these highly interactive and responsive Web environments are appearing on the Internet landscape. Vulnerabilities in Web applications and browsers and risks associated with AJAX-style application environments may present organizations with serious challenges to security. To protect against such risks, organizations must understand the issues surrounding AJAX security and follow best practices for more secure Web application development.

AJAX Pressure Points
Moving business logic from the server to the client presents a number of potential security risks with AJAX. These risks range from performance problems to exposing applications to Web services vulnerabilities, the implications of which can be serious.

For example, system-wide performance degradation can occur as the amount of XML network traffic increases. The steady parsing and exception handling resulting from malformed messages can also lead to server performance disruptions. The asynchronous nature of AJAX makes denial of service (DoS) attacks a possibility. And Web browsers can be used by attackers to send corrupted data.

In addition, improper input validation can cause Web application components to crash. The complexities of cryptographic functions and coding may make it difficult for programmers to produce strong protection. Attackers can exploit flaws in access controls to get at confidential data, use functions they are not authorized to use, and more. Improper error handling can be exploited by an attacker to access system information, bring servers down, or make security mechanisms ineffective.

In October 2005, such concerns about AJAX vulnerabilities were highlighted when an AJAX worm was able to infect the MySpace network by bypassing security checks on the server. But AJAX vulnerabilities are not an organization's only concern. Software vulnerabilities in general are steadily increasing-and the volume has never been higher.

Vulnerabilities in Web Applications
First, the good news. During the second half of 2005, there was only a slight increase in the total number of vulnerabilities disclosed over the previous six months-from 1,871 to 1,896. That's according to the latest Internet Security Threat Report from Symantec Corp. The semiannual report provides a six-month update of Internet threat activity and includes an analysis of network-based attacks, a review of known vulnerabilities, and highlights of malicious code and additional security risks. The current report covers the period from July 1 to Dec. 31, 2005.

Now, the bad news. During all of last year, the total volume of vulnerabilities reached 3,767-the highest yearly total volume recorded since 1998.

And to what is much of this growth attributed? Web application vulnerabilities. Of the vulnerabilities disclosed during the last half of 2005, 69 percent were associated with Web applications. This number reflects the shift toward the Web as a platform for applications that were previously stand-alone software suites or client-server solutions. And because traditional security infrastructures allow Web traffic onto a network by default, organizations that host Web applications are often left exposed to attacks that are both difficult to detect and to prevent.

Web application vulnerabilities are a serious security concern because they are typically exposed to the Internet through Web servers, which are often the external face of an organization on the Internet. Web servers make a popular target because attackers can exploit them to steal information that passes through them, such as credit card and bank information. Web servers can also serve as potential jump-off points into databases that hold sensitive client or user information. Compromised Web servers can also be used to host phishing sites and to launch attacks against Web browsers that access them. According to the Symantec report, such attacks are becoming more prominent.

The rise in Web application vulnerabilities is likely due to the ease with which they can be introduced into source code. Also, small Web applications are often developed on an ad hoc basis. And while AJAX-type development methods provide a rich set of application capabilities, allowing more people to develop such programs in a shorter period of time, not all developers may be trained to incorporate security in the programs they develop.

The first examples of malicious code that propagates by exploiting vulnerabilities in Web-based applications or services were seen during the second half of 2005. These included the first known Web application worm, Perl.Santy, which affected the widely deployed phpBB forum. The next was a segment of JavaScipt code that quickly spread through Web sites of MySpace users by taking advantage of a vulnerability in the social networking Web site, as previously mentioned. And the most recent example of propagating code exploited a vulnerability in the Mambo content management system.

Browser Blemishes
The Web browser is a crucial application that has security implications for AJAX and other Web application environments. Vulnerabilities in Web browsers can allow attackers to circumvent traditional perimeter security devices. Their ubiquity in homes and businesses across the country makes the exploitation of Web browser vulnerabilities one of the most effective ways to attack users.

During the last half of 2005, 24 new vendor-confirmed and non-vendor-confirmed vulnerabilities were disclosed that affected at least one version of Microsoft Internet Explorer. During this same period, the Mozilla Firefox browser was affected by 17 new vendor-confirmed and non-vendor-confirmed vulnerabilities.

Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.

In fact, both Web browser and Web application vulnerabilities may create the potential for large increases in bots and bot networks. Bot networks are groups of compromised computers on which attackers have installed software that listens for and responds to commands. Bots can have a number of effects on all Internet users, including home users, small businesses, and large organizations. A single infected host within a network can allow a bot to propagate to other computers that are normally protected against external attacks by corporate firewalls. Bots can be used by external attackers to perform denial of service (DoS) attacks against the enterprise's Web site. And bots within an organization's network can be used to attack other organizations' Web sites, which can have serious legal consequences.

Keeping It Clean
As the number of Web application and browser vulnerabilities grows, they will likely serve as a more attractive target for potential attackers to exploit. And, because the Web is a popular medium for the delivery of products and services, understanding and securing against Web-based attacks is an important security objective.

As a result, organizations must manage their Web-based assets carefully. If they are developing Web applications in-house, developers should be educated about secure development and the use of secure shared computers. If possible, all Web applications should be audited for security prior to deployment.

In working toward more secure AJAX and similar Web applications, developers must recognize that vulnerabilities can occur anywhere in the application lifecycle as well as throughout all of the components of an application. A Web server, database, business logic, application server, and operating system are all required to make up a Web application. Each component can be coded or configured differently, but all of the components come together to form a Web application. The potential attack vectors for such applications are tied to each technology component and type.

What's more, the information associated with any given Web application is vulnerable as it passes through the stages of the information lifecycle. The first phase is creation, wherein the user enters data into a Web application, which then puts the information in a temporary format while processing it into the other application components. The second phase is information transfer, wherein data is moved to a backend database. The third phase, storage, represents another potential vulnerability as the application running on the database writes data to a hard drive. Information is again vulnerable during the final storage--the retrieval phase--when the user subsequently views his or her data via the browser.

Developers of AJAX-based applications can help mitigate risk to their technology infrastructure by implementing server-side validation, keeping business logic on the server, being aware of and checking for known attacks, like SQL injections, crossing site scripting vulnerabilities, and by ensuring that each request is authentic and authorized.

In addition, while many security risks are associated with application vulnerabilities, others are the result of poor operational practices such as improper data storage, unpatched software, lost backup tapes or laptops, mail theft, social engineering, and more.

Needless to say, to provide a more protected Web services environment, businesses must not only apply best practices for developing secure AJAX applications but they must also put in place the policies and procedures for mitigating risk throughout their organizations. This includes understanding their risk posture regarding applications-including regulatory compliance issues, liabilities, and operational dependencies-and then defining their desired risk posture, developing a plan to achieve that posture, and then following it.

Guarding the Gateway
Digital interactions have become ubiquitous. Consumers entrust organizations with their financial data, email messages, and family photos. And organizations house more and more sensitive customer and corporate data in Web applications. And customers demand faster service from their Web services, opting for rapid interactions that respond almost as soon as they click a key.

At the same time, vulnerabilities in Web application technologies are causing organizations to evaluate the risks associated with new, more flexible development techniques such as AJAX. Attackers have quickly recognized that targeting Web vulnerabilities allows them to access data-including everything from financial data to internal employee data-much more quickly than was possible through network-level attacks.

Compounding these risks are vulnerabilities in Web browsers, which may enable attackers to bypass security mechanisms to exploit operating systems and applications, and even install bot software.

To continue to leverage the robust and flexible AJAX architecture to provide the world-class services that customers require, organizations must demonstrate that they are trusted partners by taking steps to improve customer confidence and incorporating security throughout the lifecycle of the application. Security must also be evaluated in every component of a Web application, from the Web server to the database, business logic, application server, and operating system.

Secure application development is complemented by best practices for mitigating risk across the enterprise. Organizations must put in place and follow a risk management policy that addresses security as it applies not only to technology but to people and processes as well.

In today's technology-based culture, applications will continue to serve as the gateway to information-a company's greatest asset and a hacker's favored target. Identifying application vulnerabilities and determining how to protect against their exploit, in turn, will remain a priority as enterprises move critical applications and services to the Web.

By following best practices for more secure code and a more protected Web services infrastructure, organizations can leverage innovative and rich technology platforms such as AJAX to provide the highly responsive interaction customers demand-in a safer, more secure environment.