eWeek: AJAX Poses Security, Performance Risks

[gunnar at arctecgroup.net (Gunnar Peterson)]

a lot of this gets back to a "framework versus roll your own debate"

http://1raindrop.typepad.com/1_raindrop/2005/05/wsmex_v_httpget.html
&
http://www.identityblog.com/2005/04/30.html#a210

also, for some good context security in ajax, rest, et. al. as well  
as examples of how amazon and google deals with security check out  
mark o'neill's deck from rsa:
http://radio.weblogs.com/0111797/2006/02/20.html#a44

-gp

On Feb 1, 2006, at 12:31 AM, Crispin Cowan wrote:

> ljknews wrote:
> > I have been involved in a dialog with AJAX fans (which is  
> > different from
> > experts) who say "you security folks just have to bow to the  
> > inevitable
> > and figure out how to secure whatever mechanism we come up with.
> This attitude is not unique to AJAX advocates. I remember holding this
> view myself, while wrestling with the problems of producing a truly
> transparent distributed operating system in the late 1980s and early
> 1990s; security was a bother that made things hard(er).
>
> Of course, this is just lifetime employment for security people :) I
> have certainly made a career out of securing things that are  
> inherently
> insecure.
>
> Crispin
> -- 
> Crispin Cowan, Ph.D.                      http://crispincowan.com/ 
> ~crispin/
> Director of Software Engineering, Novell  http://novell.com
>       Olympic Games: The Bi-Annual Festival of Corruption
>
>
> _______________________________________________
> Secure Coding mailing list (SC-L)
> SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/ 
> listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/ 
> charter.php