'Smash' tool can keep malicious code out of organizations by separating data sources


IBM today rolled out new technology aimed at securing mashups -- Web applications that business users can build themselves by linking information streams from multiple sources.

IBM also disclosed that it has donated the new technology, codenamed "Smash" (for secure mashup), to the OpenAjax Alliance of vendors working to create standards for interoperable Asynchronous JavaScript and XML technologies. Smash allows information from different sources to communicate, but it keeps them separated so that malicious code that may be contained in one data source is kept out of enterprise systems, IBM said.

"People like to take gadgets and widgets and be able to build up their own dashboards, which is great," said Rod Smith, an IBM fellow and vice president. "It is empowering people to tune their information."

But he added, while users may assume that a mashup comes from the source the widget says it comes from, it could contain malicious code that could phish for information from a user's browser or from communications with a server, he added.

"We know people are going to go down this path, [so] how can we make sure they can do it in a more secure manner?" Smith said. "[Smash] is a little runtime piece [of code] that works in AJAX. As components come in through gadgets, it can proactively check to see if they are trustable. You'll be able to authenticate these pieces. As they're put on a page and they interact with other widgets on that page, you'll know they came from the right sources at that point."

Smith said that Smash is mainly aimed to be proactive protection against such attacks, which he said are not common today. However, a research report released by Gartner Inc. last month titled "The Creative and Insecure World of Web 2.0" noted that the potential for security risks increases as more business users morph into application developers by building mashups.

Because mashups enable masses of individuals within a company to become developers of applications that use their own versions of business rules and practices, they create risks for companies, the report said.

"Web 2.0 enables building applications by grabbing readily available content from someone else's Web site, a useful application from another site, design templates from one user community and [a] runtime platform from another user community," the report noted. "All this is done in a rapid application development style that often gets distorted and transformed into a style where developers begin programming before they start thinking. Lack of application development expertise will lead them to develop vulnerable applications."

Gartner advised that companies take several steps to deal with the vulnerabilities that can result from mashups, including the following:

* Base all enterprise practices on the assumption that Web-based content and software will be affected by Web 2.0, used in unexpected ways, and abused and attacked by outsiders and insiders.
* Validate all input into applications, browsers and databases; obfuscate code that contains valuable IP information; and filter outbound information.
* Expand the definition of vulnerability assessment to include the detection of external users of corporate content through mashups.
* Develop process guidelines and tool support for vulnerability testing of Web 2.0 applications.
* Demand security and IP certificates for every piece of software that open-source software communities and software vendors give or sell.
* Do not accept applications developed by external service providers, open-source software communities or business partners unless they are tested for security vulnerabilities.