[OpenAjaxSecurity] Some comments on Ajax and Mashup Security whitepaper draft

Finkelstein, Shel shel.finkelstein at sap.com
Tue Aug 7 18:53:08 PDT 2007 

> Hi.  As you know, Yuecel Karbulut is representing SAP on OpenAjax
> Security, but I thought that I would send a few brief high level
> thoughts for your consideration on the current OpenAjax Security
> Whitepaper (at
> http://www.openajax.org/member/wiki/WP3_-_Ajax_and_Mashup_Security),
> especially since I won't be able to be on Friday's call.  The paper
> has a lot of strong material in it, and I'm sure that it will continue
> to improve before it's sent out.
> 
> * The charter and mission of OpenAjax Security are not clear from the
> paper.  Even though this is an OpenAjax white paper, it's a good
> opportunity to publicize this group.  Also, intro might identify the
> audience for the whitepaper, and its purpose.  This paper doesn't aim
> to be an exhaustive study of Ajax security issues; it's more of an
> introduction to some issues, with some suggested practices and
> pointers to additional material (next point).  And that's fine, and
> it's even better to make that clear.
> 
> * There are many papers and presentations describing threats and best
> practices, and I believe that some of the material in this paper may
> come from them.  It would be appropriate to reference some of those
> papers, in place in the paper, especially if it's planned for
> publication in a magazine.  (Referring to Resources listed on the
> OpenAjax website is good, but is it enough?)  For example, I think
> that we might point to Douglas Crockford's webpage, papers and browser
> improvement goals.  Other bibliographical references would help
> explain terms (e.g., JSONP), provide access to more detailed
> discussions (and other experts), and give credit to people who've been
> raising and addressing these issues before OpenAjax Security existed.
> 
> * We know that that these are just some of the threats associated with
> Ajax and mashups.  As I mentioned above, I suggest that this paper
> should be clear that this describes many of the more common issues.
> And I like best practices a lot, but perhaps we should clarify how
> much these best practices accomplish (avoiding some common errors, but
> not a panacea), so that we don't over-promise and mislead.  Also, some
> other common practices, such as whitelisting and blacklisting of
> sites/services/URLs, aren't discussed.  (There is a discussion of
> blacklisting and whitelisting for Input Value Checking, but that's a
> very different issue.)
> 
> * Section 2.1.2 seems schizophrenic.  The first paragraph speaks of
> the archetypal mashup example, annotating Google Maps using
> Craigslist, which involves explicitly programmed composition, while
> the second paragraph describes an event-based composition framework
> for mashups. These are different definitions, with different security
> implications.  (Minor point:  Can we include section numbers within
> the doc, as well as in the Table of Contents?)
> 
> Regards,
> 
> Shel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20070807/0033ae8a/attachment.html

More information about the security mailing list