Information Security Implications of Using Java and AJAX - Case Study Example

?INFORMATION SECURITY IMPLICATIONS OF USING JAVA AND AJAX Information Security implications of using Java and AJAX Affiliation Table of Contents JAVA Programming and Security Issues 3 Java Programming Security Considerations 5 Denial of Service (DoS attacks) 5 Confidential Information 5 Injection and Inclusion 6 Accessibility and Extensibility 6 Input Validation 6 Mutability 7 Serialization and Deserialization 7 Access Control 7 AJAX Programming and Security Issues 7 Ajax Security Considerations 8 Ajax Security Support 10 Information Security implications while using Java and AJAX 11 Conclusion 13 References 14 Introduction 3 JAVA Programming and Security Issues 4 Java Programming Security Considerations 5 Denial of Service 5 Confidential Information 5 Injection and Inclusion 6 Accessibility and Extensibility 6 Input Validation 6 Mutability 6 Serialization and Deserialization 7 Access Control 7 AJAX Programming and Security Issues 7 Ajax security Considerations 8 Ajax Security Support 10 Information Security implications while using Java and AJAX 12 Conclusion 14 Introduction At the present, modern technology based systems and applications are playing a very important role in all the walks of life. In fact, information technology based systems are currently more commonly used for business and personal tasks. However, distributed and e-commerce systems and applications normally depend on a wide variety of features and technologies in their realization, comprising scripting languages, web, server side systems, mobile processing and in fundamental database. Additionally, the mixture of these systems and technologies produces a system that necessitates extra concentration regarding various kinds of security and privacy issues and the system all together. In this scenario, in systems working and operations, these issues take place from the interactions of privacy and security arrangements accessible for every component (Lindquist, 2002). This research presents an analysis of the information security implications of using JAVA and AJAX. This research will focus on the security implications of using Java and AJAX, such as how easy/difficult it would be to secure a Java/AJAX application. This paper will also offer some recommendations for programmers who use Java/AJAX as a programming platform. This research will also present some of the major strengths and weaknesses, common security vulnerabilities and demonstration of findings regarding security and privacy issues. JAVA Programming and Security Issues One of the major software design considerations for the Java based platform is to offer a protected environment for running mobile code. Basically, the Java programming language encompasses its own exclusive set of safety and privacy aspects and challenges. In view of the fact that the Java security structure can defend a client and systems from hostile applications and can be downloaded over a network, hence it cannot protect beside system implementation issues that appear in the trust system code. Additionally, similar issues and bugs can involuntarily open a large number of security holes that the security arrangement was intended to hold, including access to printers, files, microphones, webcams and the network from behind firewalls. In some of the hardest issues local applications can be Java security disabled or executed. Without a doubt, these issues can turn the system into a zombie platform, take secret information from system and web, stop helpful process of the system; spy through linked devices, support additional security based attacks, and a number of other malicious tasks. In addition, the selection of programming language for system developments influences the robustness of a software application. In this scenario, the Java programming language and virtual machine offer a number of characteristics to ease and support common software programming issues and problems. Additionally, the programming language is type-safe, and the run-time offers automatic system memory management and bounds assessment of data structures. Also, the Java programming and associated applications ensure illegal state at the initial opportunity. In fact, these characteristics as well make Java system programs protected to the stack smashing and buffer overflow issues and attacks probable in the C and to a lesser degree C++ software programming. Moreover, these security based attacks have been illustrated like the single most deadly issue in computer systems security nowadays. In this scenario, the open static typing of Java makes code simple to recognize and the active checks to make sure unpredicted states result in expected behavior that makes Java a joy to exercise. Furthermore, to reduce the probability of security issues and vulnerabilities caused by programmer issues, Java system programmers have to recognize and utilize the recommended coding strategy. In addition, current research based publications, for example efficient Java, offer outstanding strategy associated with Java software system design (Oracle, 2012). Java Programming Security Considerations This section outlines some of the important aspects that need to be considered while implementing programs JAVA applications. In this scenario, I will outline some of the major issues and aspects that need to be considered while programming in Java. These aspects are discussed in various articles such as (Oracle, 2012; Revoor, 2007; Oracle, 2010) Denial of Service (DoS attacks) DoS attacks are very much frequent these days. In this scenario, in order to protect from such issues we need to secure the major inputs into a system should be assessed consequently that it will not cause unnecessary resource utilization and unequal to that utilized to demand the service. In addition, common influenced technology based resources are memory, CPU cycles, file descriptors and disk space (Oracle, 2012; Revoor, 2007; Oracle, 2010). Confidential Information While implementing programs with Java tool, programmers need to take care of secret data that should be readable simply in a limited context. In this scenario, the information and data that is to be reliable should not be uncovered to tampering. In this scenario, privileged code should not be run by means of the designed interfaces (Oracle, 2012; Revoor, 2007; Oracle, 2010). Injection and Inclusion Injections and inclusion of security attacks are also very frequent these days so it needs to be managed while implementing programs using Java programming language. An extremely widespread type of security based attack entails understanding and analyzing a particular application to interpret data developed similarly to a surprising transform of control. However, not for all time, this engages text formats (Oracle, 2012; Revoor, 2007; Oracle, 2010). Accessibility and Extensibility While writing code using Java programming language, programmers also need to keep in mind accessibility and extensibility of the software applications. For this purpose, they need to reduce the "attack surface" of the code while programming the system (Oracle, 2012; Revoor, 2007; Oracle, 2010). Input Validation One of the interesting characteristics of the Java programming language is that rigorous technique parameter analysis is employed to improve robustness. However, the authentication of external inputs is a significant element of security (Oracle, 2012; Revoor, 2007; Oracle, 2010). Mutability While writing code in the Java programming language, programmers also need to keep in mind mutability aspects. In addition, they need to develop the system in a way that reduces the surprising variety of security problems like DoS attacks (Oracle, 2012; Revoor, 2007; Oracle, 2010). Serialization and Deserialization Java programming serialization offers an interface to classes that avoids the standard expectations of the Java programming language (Oracle, 2012; Revoor, 2007; Oracle, 2010). Access Control While writing code using Java programming language programmers need to manage the access control. Java is an object-capability language; in this scenario, a stack-based language access control system is employed to strongly offer more predictable APIs (Oracle, 2012; Revoor, 2007; Oracle, 2010). AJAX Programming and Security Issues AJAX has turned out to be ubiquitous in currently developed web based systems. In view of the fact that it offers an excellent support and functionality it is as well significant to consider that it is raising the attack surface. One of the major drawbacks of AJAX programming language is that calls from outside the regular Web pages will unavoidably be made to the Web service that is being demanded. Hence, it has created the new Cross-site scripting (XSS) security based attack. In this scenario, it is powerfully suggested that each call is confirmed to the Web server and the Web service for authorization and authentication before moving ahead with the request. In addition, all companies’ intelligence should be placed on the web based server, the entire data authenticated, there should be verification for JavaScript or SQL injection based security attacks and, most significantly, appropriate verification procedures should be established (Progress Software Corporation, 2008). Ajax Security Considerations The most noticeable privacy and security issue while writing code using Ajax programming language is that associated source code is essentially downloaded to the web-browser for analysis. In fact, it is a major fear for some software logic that is concerned with intellectual property and application author does not want to share it with the world. However, reduction (limiting identifier and white space removal) can definitely render JavaScript a great deal more difficult to read (as well as debug). Additionally, the majority of system developers would recognize Ajax applications to be similar to HTML and others will consider them as effort. In this scenario, the particular real substitute is to either (1) bound log-in to the software to dependable client/partners or (2) maintain related algorithms on the web based server side, and basically raise them with web services from the Ajax web based client. In addition, Zimbra Ajax Client effectively deals with this entire scenario for the reason that it is an open source platform (Oracle, 2012; Garrett, 2012; Progress Software Corporation, 2008; Dietzen, 2006; Anyang-Window, 2012; MandLAdventures, 2007). Moreover, Zimbra offers the below given extra guarantees to ensure secure Zimbra software application over even public communication networks. In this scenario, methods that we are considering are generally applicable for protecting Ajax software applications: (Oracle, 2012; Garrett, 2012; Progress Software Corporation, 2008; Dietzen, 2006; Anyang-Window, 2012; M and L Adventures, 2007) Make use of TLS/ SSL: In order to ensure effective security there is a need for ensuring the security and integrity of JSON HTTP based online communications through Ajax client. In this scenario, SSL/TLS based encryption will control and limit clients and applications access to the Ajax basic programming source code. No server-side handling of JavaScript or extra client submitted programs code: Zimbra gets vanilla XML demands from the web based browser client that are authenticated as well as then processed by Zimbra web based server side Java code. In this scenario, no JavaScript code flows from server to client, as well as there is no server side assessment of some system data (for example, message bodies). In view of the fact that there is no JavaScript code running on the server phase hence it makes sure that there is no means for even a hostile Ajax client through a verification recommendation to inject some problem making and malicious code for running on the network server side. Restrict or no client side handling of JavaScript inside client data: Zimbra Ajax’s user uses an Email system that executes inside the limited set of web browser. However, there is an extra risk to expose the data and information contents of high quality HTML messages that themselves hold JavaScript. Additionally, this particular JavaScript inside the communication message might in some way be capable of making some dangerous malicious calls to the Zimbra web based server (it is normally not allowed for making incantations to other websites). However, when a rich HTML data and information message holds any kind of malicious JavaScript, it is just passed to error on the side of concern. Benign URLs: In view of the fact that all the Zimbra’s GET-based REST and URL supported APIs are read-only and they do not change data thus it makes sure that a client (with pre-authenticated security recommendation) is not deceived by clicking on a nasty web based link. Ajax Security Support This section will discuss some of the major advantages that can be attained through Ajax programming. These advantages relate to security aspects of this programming language. These advantages are taken from various sources such as (Oracle, 2012; Garrett, 2012; Progress Software Corporation, 2008; Dietzen, 2006; Anyang-Window, 2012; M and L Adventures, 2007) Dynamic Ajax client download: The client code written using Ajax programming language can be fetched on requirements from the reliable server following a particular client logs-in. In fact, it involuntarily ensures that client as well as server editions are in-synchronized (for public systems, a shift re-load is more enhanced in that it overwrites some Ajax programming code from that website available in the web browser cache). No persistent client caching: Another issue with customary web clients is that they store HTML web based pages that can encompass user/application information and data on the client system disk all through the standard processes. Without a doubt, it can be a security issue for getting access from public kiosks or additional shared systems. In this scenario, Ajax programming systems similar to Zimbra client store no client data on system disk. Server side control of intranet plus Internet mash-ups: Zimlets and other Ajax mash ups are not allowed from connecting random services on the web (except they open a new iFrame, that can be assessed at the server application time), and have to be in its place (similar to Java applets) create all invocations back to the created server. In this scenario, Ajax web server is able to perform like a secure, proxy gateway for connecting and accessing intranet systems, and is able to manage which outer web services (if some) are available for mash-up inside the Ajax client. Information Security implications while using Java and AJAX This section presents some of the important guidelines for the sake of better security management and information security implications of using Java and Ajax: (Oracle, 2012; Lindquist, 2002; Progress Software Corporation, 2008) Desire to have no issues: developing secure code and program is not simple. In spite of the strange robust type of Java, a wide variety of issues can slip past with astonishing ease. In addition, the code development and design does not need intelligent logic to observe that it is protected. Develop APIs to keep away from security issues: It is a useful activity to develop APIs by keeping in mind a wide variety of security concerns. Attempting to retrofit safety into an available API is harder as well as open to error. For instance, making a class final avoids a malicious subclass from incorporating cloning, finalizes and overriding casual techniques. Reduce duplication: Code duplication can cause a wide variety of issues and problems. In this scenario, both data and code tend not to be tackled constantly when duplicated, for example transformations cannot be implemented to all copies. Limit privileges: In spite of most excellent attempts from the programmers, not all coding issues will be removed even in well evaluated code. The most tremendous appearance of this is recognized as the standard of least privilege. In addition, it can be applied using the Java security methods, by stopping authentication in policy files and dynamically using Java programming language. Implement trust limitations: In order to make sure that a technology based system is safe, it is essential to implement trust limitations. In this scenario, data that cross these limitations should be cleaned as well as authenticated before exercise. Reduce the amount of authorization checks: In view of the fact that Java is mainly an object oriented programming language, hence the security manager verification should be measured a last resort. In addition, there is need to carry out security verifications at a few described points as well as return an object (a potential) that user code retains as a result no additional authorization checks are necessary. Encapsulate: Assign behaviors and offer concise interfaces. In addition, fields of data and information objects should be confidential and accessors evaded. Moreover, the interface of a technique, package, class and module should form a logical set of behaviors, and no more (Oracle, 2012; Lindquist, 2002; Progress Software Corporation, 2008). Conclusion This paper has presented a detailed analysis of some of the major aspects of Java and Ajax programming languages. This paper has basically discussed the information security implications of using Java and AJAX. In this scenario, this research has covered some of the major security based issues those are governed by Java and Ajax programming platforms. I have also highlighted the potential issues and problems that can be caused by these issues and problems. In case of development of some application the decision manager need to be aware all such issues regarding programming languages. Here management has to assess out some of possible issues and aspects and suggest some of more enhanced application development solutions. This paper has also suggested the possible solutions to resolve such issues and manage the problems. This paper has presented detailed findings for the better security and privacy guidelines for programming in Java and Ajax. References Anyang-Window. (2012). Web2.0 10 Ajax security vulnerabilities and causes. Retrieved November 04, 2012, from http://www.anyang-window.com.cn/web20-10-ajax-security-vulnerabilities-and-causes/ Dietzen, S. (2006, September 09). Securing Ajax. Retrieved November 02, 2012, from http://blog.zimbra.com/blog/archives/2006/09/securing-ajax.html Garrett, J. J. (2012). Ajax: A New Approach to Web Applications. Retrieved November 01, 2012, from http://www.javalobby.org/articles/ajax/ Lindquist, T. E. (2002). Security Considerations for Distributed Web-Based e-commerce Applications in Java. Proceedings of the 35th Hawaii International Conference on System Sciences (pp. 1-5). IEEE. M and L Adventures. (2007, August 10). AJAX Security Considerations. Retrieved November 02, 2012, from http://www.mandladventures.com/2007/08/10/ajax-security-considerations/ Oracle. (2012). Secure Coding Guidelines for the Java Programming Language, Version 4.0. Retrieved November 02, 2012, from http://www.oracle.com/technetwork/java/seccodeguide-139067.html Oracle. (2010). Security. Retrieved October 1, 2012, from http://docs.oracle.com/javase/jndi/tutorial/ldap/security/index.html Progress Software Corporation. (2008). SaaS Security and privacy. Retrieved November 01, 2012, from http://www.progress.com/docs/whitepapers/public/SaaS/SaaS-Security.pdf Revoor, M. (2007). Java Web Services Tools. Retrieved April 19, 2012, from http://freecode.com/articles/java-web-services-tools Read More