Security consultant Christopher Wells has just written Securing Ajax Applications, $49.99 from O’Reilly. While the book is written for Ajax developers, I think it’s more appropriate for business analysts who are specifying Ajax projects. Security Ajax Applications has a lot more to say to technically literate project managers than to hot shot programmers. Don’t get me wrong, developers will get a fundamental grounding in creating secure applications. However, until security is specified as a program requirement by the people paying the developers’ salary, Ajax apps will be developed as quickly as possible with little regard to security.
Over the last two years there has been much heat in the security community about the insecurities of Ajax application development. Case in point was the presentation on Premature Ajax-ulation at Black Hat Las Vegas in August.
The presenters, Bryan Sullivan and Billy Hoffman of SPI Dynamics (acquired the same day the presentation, Aug. 1, by HP) cleverly created a site Hackervacations.com using security advice from a select group of Ajax coding references. The result was a mess of vulnerabilities that basically allowed the pair to buy fictitious airline tickets for $1.Sullivan and Hoffman have a forthcoming book on ajax-ulation problems with the more demure title of Ajax Security, also $49.99 although not yet available.
Wells book was not one of the security authorities they cited for the bad advice used to build hackervacation. On the other hand, Wells doesn’t always make it easy to distill the important points of secure Ajax application development. Hidden at the bottom of page 42 is this gem: “If you remember anything from this book let it be this: you cannot trust any information coming from the client/browser.” He goes on the call for Ajax developers to validate all client input. He recommends a widely accepted strategy of using positive validation. Check data for what should be there (for example, format and length) and reject anything that doesn’t match.
Securing Ajax Applications covers server protection, securing Web services and building secure APIs. And it is a strong exhortation to developers to include security in the fundamental design of their Ajax applications.
Wells’ book is a decent primer on security. The beginning sections are a bit too simple and encourage the reader to skip ahead to the “good stuff.” I’m afraid that driven programmers will lose patience with the sometimes too cutely worded phrases of the book and miss the important points. (For example, the missive on page 42.) Business analysts will find useful material by the page for building project specifications that call for secure applications.
Title: Securing Ajax Applications Subtitle: Ensuring the Safety of the Dynamic Web First Edition: July 2007 ISBN 10: 0-596-52931-7 ISBN 13: 9780596529314 Pages: 250