Re: The ever encroaching blur between web apps and apps

["Jeff Williams" <jeff.williams () aspectsecurity com>]

The interesting thing about this trend, to me, is the effect on the trust
relationship between client-code and server-code.  The relationship between
clients and servers has been getting more and more complex -- "the network
is the computer."  Web applications were a big step in this direction, and
it gave attackers have the full range of HTTP to embed their attacks.

I think this latest trend towards richer UI's for web applications will
increase the complexity of the communications between client and server code
even further.  And that is going to open the door for more sophisticated
attacks.  The same argument goes for web services -- more complex
interaction between attackers (er...users) and applications means more
attack surface and more vulnerability.

I would like to see far more thought in these new frameworks about security.
Where both client and server parts protect themselves against attacks.  If
the framework handles all the client-server communications for which events
are handled where, it had better have mandatory provisions for
authentication, access control, validation, error handling, and logging (to
name a few).

So when you're evaluating application frameworks, see which one makes
security mistakes more difficult -- if using it to build a secure
application is theoretically possible but not probable, it won't happen.

--Jeff

Jeff Williams
Aspect Security, Inc.
http://www.aspectsecurity.com

----- Original Message ----- 
From: "Steve Lord" <slord () diagonalsecurity com>
To: "Mark Curphey" <mark () curphey com>; <webappsec () securityfocus com>
Sent: Tuesday, August 31, 2004 5:44 AM
Subject: RE: The ever encroaching blur between web apps and apps


Avalon is much more than just a new UI interface. It's part of MS' drive
to reduce the number of APIs currently in use in Windows. It's supposed
to compete with SVG and Flash from what I've seen/heard/read and looks
quite cute. Earlier this year a Microsoft Rep told me it was cross
platform and portable (to all Microsoft platforms of course, natch ;).

We already have the technology that Avalon proposes (in a slightly more
clunky way) through things like Swing and Flash, Avalon also doesn't
seem to affect the underlying communications between App and server, it
allows active components to store data offline (I remember being told
how ActiveX and COM would change our lives in a similar way) for
Service-Orientated applications. IMHO The real fun and games for us
starts with Indigo
(http://www.microsoft.com/indonesia/msdn/indigofaq1.asp) in which MS
tries to take on J2EE and Distributed architecture as a whole.

-----Original Message-----
From: Mark Curphey [mailto:mark () curphey com]
Sent: 30 August 2004 13:54
To: webappsec () securityfocus com
Subject: The ever encroaching blur between web apps and apps


Anyone else any other good observations on the topic ?

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnintlo
ng/h
tml/longhornch01.asp





This e-mail may contain confidential and/or privileged information. It is
for the exclusive use of the intended recipient(s). If you are not the
intended recipient(s), you must not use, distribute, copy or take any action
in reliance on it, since to do so is strictly prohibited and may be
unlawful. If you have received this e-mail in error, please return it to the
sender immediately and delete it from your system. E-mail messages are not
secure and attachments may contain software viruses which may damage your
system. Whilst we have taken every reasonable precaution to minimise this
risk, we cannot accept any liability for any damage which you sustain as a
result of these factors. You are advised to carry out your own virus checks
before opening any attachment. Any views or opinions expressed in this
e-mail are solely those of the author and do not represent those of the
Diagonal Group unless otherwise stated. Registered Office: Wey Court Farnham
Surrey GU9 7PT. Registered in England number 2662280.