Application Mashups Require Strong Security Approach

Ideally, application mashups are an easy way to blend data and functionality from multiple sources. Poor development practices, however, can burst that bubble, adding risk and making both the users and the applications vulnerable.

As the use of enterprise mashups continues to grow, businesses may need to re-evaluate their application development practices. 

Web applications are increasingly composed of several third-party services and APIs, and maintaining security means application development pros must include those services and APIs in their threat modeling, said Forrester Research analyst Mike Gualtieri.

“Developers are not adjusting,” he said. “They are just passing credentials and not worrying about it.”

Bill Geimer, president of security services provider Iron Vine, said the proliferation of worms and other security issues on social networking sites has increased awareness of the risks associated with using third-party sites as marketing tools.

“It reminds me of the stories you would hear regarding organizations that would experiment with setting up kiosks in 3-D virtual world environments,” he said. “It seems like a good way to innovate and to allow for anonymous interaction with your organization - that is, until an avatar floats in and burns down your kiosk.”

While developers are already worried about issues such as cross-site scripting and SQL injection, mashups can add to the attack surface and bring vulnerabilities such as cross-site request forgery to the forefront. But there are a number of steps businesses can take to ensure they are able to deal with the changing requirements of their applications.

In an article here, Max International Chief Technology Officer Jeff Hanson explains the importance of having a mashup server-side validation framework and a client-side mashup validation framework that compliment one another.

“Because client-side validation can be circumvented quite easily, a comprehensive and complementary server-side validation provides another crucial component for protecting data and processes,” he wrote.

For an input-validation framework to be effective, he continued, it should define a list of finite values to limit input data, validate input data types, lengths, ranges and formats, use regular expressions at the client and at the server to ensure consistency and sanitize input data for invalid characters.

The advice will remind some of similar calls for input validation in the SANS Institute list of the top 25 programming errors. Beyond input validation, Hanson also noted that many mashup widgets take the form of iFrames, bringing with it the possibility of iFrame fragment identifier attacks. He recommended among things encrypting fragment-identifier data using public keys and ensuring only white-listed domains can alter fragment identifiers.

Benjamin Jun, vice president of technology at Cryptography Research, told eWEEK applications mashups require the use of authenticated APIs, and developers need to solve the issue of identity and access management.

  
“The challenges are twofold,” he explained. “First, the enrollment process for credentials on a social networking Website is very different from getting enrollment credentials for online banking. This means that there may be gaps in trust across authentication systems. Secondly, identity and access management is complex – particularly when considering the three R’s of corner cases: redirects, renegotiation and reconnections. Developers who use authentication API's are usually forced into using their partner’s API, but can try to avoid (or at least take great care) when using those modes.”

Jun also recommended businesses be conscious of what he called “data teasing.”

“This is the presentation of snippets of sensitive data to users and search engines before authentication or full authentication is performed…When business requirements include teasing, site developers and security designers need to be extremely careful when serving such 'semi-private' information,” he said.

“No matter how good your security is, your overall security is only as good as the component with the weakest security,” Gualtieri said.