Tips for IT Security in RIAs
Rich internet applications are growing fast in the business and enterprise application landscape as more and more software managers and corporate decision makers are electing to place rich internet applications (RIA's) into their organizations. But with the many advantages of rich internet applications over the client/server deployments, organizations also find many new aspects they need to master and overcome - one of them is understanding the new security vulnerabilities of the rich web based applications and taking the right measurments to protect their systems.
Whilst the measures taken to secure systems in the client/server culture are as relevant today as in the past, the nature of the browser client obligates us to go still further if we want to secure our RIA-based applications. That means understanding the numerous ways the information exposed in the browser can be used by a hacker with a mission to compromise the application or the information it contains. Rich internet applications can be broadly categorized into plug-ins and Ajax frameworks which use JavaScript and either XML function libraries or JSON (the JavaScript approach in which we practically send JavaScript objects on the wire) to infuse HTML with the asynchronous desktop-like behavior we desire for our RIA. Plug-ins are proprietary software sandboxes that need to be installed into the browser environment. A third approach is HTML5 that brings some of the capabilities of the plug-in into the browser as native functionality, further empowering the pure AJAX solutions. Its use is steadily growing but is still not fully supported by the browsers.
In both the plug-ins and the Ajax models, a degree of sensitive information must be communicated between server and client - far more than traditional synchronous web 1.0 applications which demand very little of the client, beyond capturing user input (the request) and presenting the screen delivered by the server (the reply). The smarter, asynchronous web 2.0, which is the basis of RIA applications, requests specific pieces of information and this often requires the client to play a significant role controlling program logic. The requests from the server will bring information more in the form of a data structure, e.g. a list of customers as opposed to synchronous HTML in whose elements the list of customers are already embedded.
So the information that causes security vulnerabilities is not the information received as input from the user or output to the web page, but rather the various pieces of data that make the application tick. Understanding these data items and what opportunities they present to a user with malicious intent is the key to building secure web applications.
Those items are discussed in depth in the following guide posted on Visual Studio Magazine to understanding RIA security vulnerabilities and how to cope with them.