The Security Impact of Rich Internet Applications

By Courtney Macavinta

Rich Internet applications (RIAs) are the robust Web applications that function more like traditional desktop applications but run via a Web browser or within a sandbox (i.e., a virtual environment that isolates untested code). And they are growing in popularity for consumer and enterprise Web users alike. As more application development professionals use RIAs, such as Ajax, Adobe Flash, Flex, Java and Microsoft Silverlight, it also means IT managers are faced with new security risks, including how to best thwart an attack on IT systems, according to analysts.

Among the security risks that come with RIAs is the fact that data transported via RIAs is not as secure as if it were sent over a secure server, which opens organizations up to confidentiality breaches, viruses, spyware or worse.

“The security problems are the same we have other places. How do you know the RIA you're going to run is not a virus or spyware?” says Ronald Schmelzer, managing partner at the analyst firm ZapThink.

Specifically, the security risks posed by RIAs include server- and client-side attacks as well as communication-stream attack opportunities, according to the report Rich Internet Applications: Security Professionals Must Understand The Security Implications by Forrester Research. For IT managers, dealing with the risks of RIAs means first understanding the security risks as well as the benefits of working RIAs into their security strategy.

Here are steps IT managers can take to manage the risks while allowing the rewards of RIAs within the enterprise:

Step No. 1: Understand the risks
According to Forrester Research, IT managers need to understand the “attack surface of the application.” The primary concern with RIAs is that applications are available to unauthenticated users, making way for attacks such as cross-site request forgery -- a malicious code that sends unauthorized commands from a user the Web site trusts. And even though RIAs use a sandbox model, sandboxes don’t guarantee security. Some are more permissive than others, according to the March 2008 report by Forrester Research analyst Jeffrey Hammond, Securing Rich Internet Applications. “For example, a developer might use Flash’s local data store or a browser cookie to improve startup performance, and in the process, inadvertently expose data to a malicious app,” Hammond reports. “Or an administrator might configure a site to permit cross-domain access in order to roll out a new mash-up and inadvertently expose the firm’s entire domain to attack.”

Step No. 2: Limit risk
Analysts agree that IT managers need to be cautious about client-side validation when it comes to RIAs. IT should explore security solutions such as still validating data on the server side through authentication even if it means the application will run a bit slower. The communication stream also needs to be protected to protect client and other confidential information that is vulnerable to attack. For instance, IT managers can “create a layered security model using techniques, such as Transport Layer Security (TLS) and SSL,” according to Forrester. Also, IT should consider curtailing dynamic programming techniques, which increases RIA vulnerability.

Step No. 3: Include RIAs as part of overall security policy
It’s essential that IT organizations take inventory of the use of RIAs within the enterprise. “Right now it's all or nothing -- you either allow them or not,” Schmelzer says. “But IT should be thinking, How do I incorporate it into my total security policy?” And IT managers should also look at the big picture of whether allowing RIAs is worth the potential security risks. “You (or your business sponsors) should be able to articulate the potential cost savings of deploying an RIA….Before you start to code, balance this upside against the worst-case costs that would result from exposing sensitive data or business processes,” states Hammond’s March report.

As IT learns to manage RIAs, one thing is for sure: They are here to stay.

“RIAs provide a lot of value. You can access and compose all these Internet capabilities without being constricted to the Web-based environment,” Schmelzer says.

Courtney Macavinta is a Silicon Valley-based business and technology writer. Her articles have appeared in CNET News online, Inc. online, Business 2.0, Red Herring, Wired News and The Washington Post. She is also the managing editor of The Online Family.