Feeds

ID and the triple-A challenge of mashup security

Sources unknown

Top three mobile application threats

The loose coupling of data drawn from different systems is one of the enduring appeals of mashups. However, what if some of that data needs to be handled securely, or it is necessary to log in to some or all of the data feeds? What if the mashup as a whole represents some form of sensitive system - now security is an issue.

Last time I looked at the technical challenges facing development of mashups. Now, it's time to turn to the security issues you'll need to consider when building enterprise-oriented mashups.

The most important questions the enterprise-based mashup developer must consider are:

  • Security of the communications medium
  • User identity and authentication
  • Authorization
  • Auditing

Let's take these individually.

Secure communications

Sensitive data is likely to require confidentiality (that is, encryption) in any application, and you must take care not put it at risk when you mash it with other sources. Of course there are protocols available that allow for encryption of data from SSL and HTTPS through to custom encryption implementations.

Mashups are complicated because data is provided by different sources using different technologies, meaning a single encryption method is unlikely to be suitable. For example, many mashups rely on the use of web-service standards, but these could be augmented by other protocols such as RSS data feeds, RMI and REST. In a further twist to the complexity, web services have an emerging set of security standards such as WS-Security, WS-SecureConversation and WS-Trust that are at varying degrees of completion and commercialization. The WS-* family are also increasingly seen as a rather inflexible way of building web services compared to architectures like REST.

User identity and authentication

The concept of identity and the authentication of that identity are typical concerns for enterprise systems. For distributed applications a common approach is to adopt some form of single sign-on model. In this model a user logs in once to a system and then each system they access beyond this can confirm that the user is already logged in. This is usually achieved via some form of ticket provided to the user session on initial log in and this ticket can then be checked with a central server by each subsequent system. There are numerous single sign-on systems available (such as CA's SiteMinder) and APIs to access them (such as the Java Authentication and Authorization Service).

In such scenarios all the systems that need authentication work together to represent a single security domain - in the mashup world, this may or may not be the situation. Of course, developers will (and have) found ways around this but if the mashup holds appropriate (possibly hard coded) security details for each system accessed then this in itself represents a security concern.

Authorization

Authentication is one thing, but what about authorization? This relates to the confirmation that a user of a service has the right to perform the operation being selected. Such access control rights information may be held in a repository like an LDAP-based directory or in a priority system that, once the application has authenticated the user, can check to see they are allowed to access the specific data they have requested. This may be an issue for enterprise mashups as the data source could come from outside.

Auditing

Finally, in many enterprise systems you will find people talk about the triple As of security - AAA. The first two - authentication and authorization - we have covered. Equally important and challenging in the mashup is the third - auditing. Auditing comes when the enterprise wants to know who did what to what, and what information they used. Again, as the systems being used may come from outside the control of the enterprise, auditing may not be possible.

Think first, then mash

Mashups are already moving into the corporate domain particularly within the information worker arena, thanks to applications and middleware from BEA Systems, IBM, Microsoft and Oracle among others. However, if corporates adopt mashup technologies for a wider range of applications then security will be an issue at some point. The key take away here is not that the issues I've raised can't be resolved, but they need to be considered right at the start of any mashup development, and not assumed or tacked on as the application progresses.®

Seven Steps to Software Security

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
Apple: We'll unleash OS X Yosemite beta on the MASSES on 24 July
Starting today, regular fanbois will be guinea pigs, it tells Reg
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.