Mashups, SAAS Present Security Risks

Experts say the techologies and their building blocks, XML and HTML, have inherent security flaws.

BOSTON—The rise of mashups and similar technologies has given developers a way to build simple applications, but they're also opening up a new world of security issues.

The risks involved with mashups and SAAS (software as a service) come because of the amount of sensitive data that can be exposed on the Internet. However, Jeremy Burton, CEO of Serena Software, which released its enterprise mashup platform Dec. 3, said the benefits of the technologies can outweigh the risks.

"There are definitely security risks involved when exposing any URL on the Internet which contains confidential data behind it," Burton said at the XML 2007 conference here Dec. 3. "But the productivity of mashups and economics of SAAS are so compelling that enterprises will take steps to manage the risk and reap the benefits. A trip in a jet airliner has a thousand times more risk than a horse and cart but amazingly everybody still uses it."

Burton spoke after a panel discussion at the show regarding the future of XML on the Web. Mashups rely on Web services to work, as they are combinations of various services. Web services are typically XML-based, and HTML is the language needed to design Web pages, upon which mashups reside.

Rene Bonvanie, senior vice president of worldwide marketing for partners and online services at Serena, said that with mashups, "there are multiple layers at which security can be instrumented—first of all, at the source systems; second at the SOA [service-oriented architecture]/middleware architecture level; and third at the mashup platform level."

There's no inherent security in SAAS, said Ron Schmelzer, an analyst with ZapThink. "You have to explicitly design that in," he said. "And by explicit, that means you have to design authentication and authorization into the way that the service responds to consumers. Furthermore, you have to deal with a new bread of denial-of-service attack that can target Service dependencies."

Mashups, by their nature as a composition of services, don't introduce new security issues, Schmelzer said.

"The security issue in composition is the problem of security context in which you have to deal with the fact that composing different systems might mean trying to span different identity domains, which is a significant problem for companies that have not made a prior investment in identity management systems," he said.

That said, the security issue is not a fatal flaw for SAAS, mashups and SOA, Schmelzer said.

"It just needs to be addressed," he said. "Properly designed SOA, SAAS or mashups can be every bit as secure as any other enterprise application system, which means [they can be] as good as the architects."

Douglas Crockford, a senior JavaScript architect at Yahoo who is know for discovering the JavaScript Object Notation, said there's been nothing really new done to HTML since 1999, which has led to security problems and security risks down the line for technologies such as mashups.

"We've been so distracted by XML that HTML has not gotten the attention it needs," said Crockford, who was on the panel at the show..

Moreover, he said, "mashups are interesting but, unfortunately, because of security problems, they're just too dangerous. We have to address the security problems of the platform and get them right. … Mashups allow for taking data from several sources. The problem we have is there's no way of protecting the various agents from each other."

In addition, an acquiring server can't know if it is getting the right thing, he said. A vicious script could get "full access to the screen and can ask anything of the user, including their password. It's inherently dangerous."

Michael Day, founder of YesLogic and the architect of the Prince formatter, said XML does have a future on the Web, if only as a server technology. XML seems to have gone the way of other technologies, such as Java, that started out as client-side technologies and ended up in the server realm, Day said.

"XML is still a vital part of the server infrastructure in many systems," he said.

Crockford said XML will continue to be vital because "once something gets into the enterprise, it can take generations to get it out. You can still buy a COBOL compiler. XML is clearly trending down; it is not going to replace HTML on the Web."

Michael Sperberg-McQueen, a member of the technical staff at the World Wide Web Consortium and one of the original editors of XML 1.0, also said XML has a future on the Web.

"There were 200 or so people involved in the formation of XML," Sperberg-McQueen said. "One goal was very simple; I wanted to be able to write things in descriptive markup using a vocabulary I was familiar with."

Moreover, "we won," Sperberg-McQueen said. "Every major browser supports the display of XML and client-side XSLT [Extensible Stylesheet Language Transformations]. … XML will die when you rip it out of my cold, dead hands."

Check out's Application Development Center for the latest news, reviews and analysis in programming environments and developer tools.