WebApp Sec mailing list archives
Re: The ever encroaching blur between web apps and apps
From: "Jeff Williams" <jeff.williams () aspectsecurity com>
Date: Wed, 1 Sep 2004 10:39:12 -0400
The interesting thing about this trend, to me, is the effect on the trust relationship between client-code and server-code. The relationship between clients and servers has been getting more and more complex -- "the network is the computer." Web applications were a big step in this direction, and it gave attackers have the full range of HTTP to embed their attacks. I think this latest trend towards richer UI's for web applications will increase the complexity of the communications between client and server code even further. And that is going to open the door for more sophisticated attacks. The same argument goes for web services -- more complex interaction between attackers (er...users) and applications means more attack surface and more vulnerability. I would like to see far more thought in these new frameworks about security. Where both client and server parts protect themselves against attacks. If the framework handles all the client-server communications for which events are handled where, it had better have mandatory provisions for authentication, access control, validation, error handling, and logging (to name a few). So when you're evaluating application frameworks, see which one makes security mistakes more difficult -- if using it to build a secure application is theoretically possible but not probable, it won't happen. --Jeff Jeff Williams Aspect Security, Inc. http://www.aspectsecurity.com ----- Original Message ----- From: "Steve Lord" <slord () diagonalsecurity com> To: "Mark Curphey" <mark () curphey com>; <webappsec () securityfocus com> Sent: Tuesday, August 31, 2004 5:44 AM Subject: RE: The ever encroaching blur between web apps and apps Avalon is much more than just a new UI interface. It's part of MS' drive to reduce the number of APIs currently in use in Windows. It's supposed to compete with SVG and Flash from what I've seen/heard/read and looks quite cute. Earlier this year a Microsoft Rep told me it was cross platform and portable (to all Microsoft platforms of course, natch ;). We already have the technology that Avalon proposes (in a slightly more clunky way) through things like Swing and Flash, Avalon also doesn't seem to affect the underlying communications between App and server, it allows active components to store data offline (I remember being told how ActiveX and COM would change our lives in a similar way) for Service-Orientated applications. IMHO The real fun and games for us starts with Indigo (http://www.microsoft.com/indonesia/msdn/indigofaq1.asp) in which MS tries to take on J2EE and Distributed architecture as a whole. -----Original Message----- From: Mark Curphey [mailto:mark () curphey com] Sent: 30 August 2004 13:54 To: webappsec () securityfocus com Subject: The ever encroaching blur between web apps and apps Anyone else any other good observations on the topic ? http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnintlo ng/h tml/longhornch01.asp This e-mail may contain confidential and/or privileged information. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), you must not use, distribute, copy or take any action in reliance on it, since to do so is strictly prohibited and may be unlawful. If you have received this e-mail in error, please return it to the sender immediately and delete it from your system. E-mail messages are not secure and attachments may contain software viruses which may damage your system. Whilst we have taken every reasonable precaution to minimise this risk, we cannot accept any liability for any damage which you sustain as a result of these factors. You are advised to carry out your own virus checks before opening any attachment. Any views or opinions expressed in this e-mail are solely those of the author and do not represent those of the Diagonal Group unless otherwise stated. Registered Office: Wey Court Farnham Surrey GU9 7PT. Registered in England number 2662280.
Current thread:
- The ever encroaching blur between web apps and apps Mark Curphey (Aug 30)
- Re: The ever encroaching blur between web apps and apps Saqib . N . Ali (Aug 31)
- Re: The ever encroaching blur between web apps and apps Ben Poweski (Sep 01)
- RE: The ever encroaching blur between web apps and apps Yvan Boily (Sep 01)
- <Possible follow-ups>
- RE: The ever encroaching blur between web apps and apps Steve Lord (Aug 31)
- Re: The ever encroaching blur between web apps and apps Jeff Williams (Sep 02)
- Re: The ever encroaching blur between web apps and apps Rush Molekilla (Sep 05)
- Re: The ever encroaching blur between web apps and apps Jeff Williams (Sep 02)
- RE: The ever encroaching blur between web apps and apps Saqib . N . Ali (Aug 31)
- RE: The ever encroaching blur between web apps and apps Rishi Pande (Sep 01)
- Re: The ever encroaching blur between web apps and apps Saqib . N . Ali (Aug 31)