Cenzic announced that its automated vulnerability assessment solutions now offer
full support for testing Web applications built using AJAX (Asynchronous
JavaScript and XML) software development technology. AJAX support in Cenzic Hailstorm and ClickToSecure enables
customers to take advantage of this application development
technique to develop smoother, more responsive and intuitive applications
without the associated vulnerabilities which have left AJAX-based
applications increasingly susceptible to security threats.
Historically, the same simplicity that enabled the Web's growth as a
communications medium also created a gap between the experience it provides
and the experience users expect from desktop applications. AJAX has rapidly
emerged as a prominent enabling technology in the movement to improve the
Web as a platform for business and consumer applications. Using AJAX,
web-based applications can be developed with the same power and efficiency
of desktop applications, providing software developers a wide open platform
for creating innovative new programs that do not rely on computer operating
systems.
As a method of programming which combines several different tools --
including JavaScript, dynamic HTML (DHTML), Extensible Markup Language
(XML), and others -- AJAX builds interactive applications for the Web which
process user requests immediately. Web pages are more readily responsive by
exchanging small amounts of data with an intermediary -- an AJAX engine --
located between the user and the server, rather than the entire Web page
reloading each time a user makes a change. An AJAX application eliminates
the start-stop-start-stop nature of the Web, thus increasing the speed and
user-interactivity of web pages and web-enabled services.
"AJAX creates rich internet applications that can be leveraged for tasks
across the board, such as updating and deleting records or returning simple
search queries. This notion of the Web as a software platform provides an
inviting, seemingly limitless medium which is already being leveraged by
industry leaders such as Google and Microsoft," said Mandeep Khera, vice
president of marketing for Cenzic. "However, AJAX-style applications
present new Web application security challenges which are often not
initially visible to application developers. We have always taken pride in
responding to our customers' needs, and as some of these customers have
started developing their applications using AJAX platform they want to
ensure that the applications are secure. Cenzic solutions now provide for
the automated and efficient testing for these applications."
Tied to the new opportunities presented by AJAX and related Web 2.0
development tools are an accompanying number of new security holes. By
enabling more interactive Web pages that are interoperable with Web
services, AJAX immediately increases the amount of XML, text or HTML
network traffic and therefore exposes applications to Web services
vulnerabilities. The complexities inherent to AJAX development leave the
door open for malicious clients to send corrupted data, expose back-end
applications that were not previously vulnerable, and allows
unauthenticated users to quickly elevate their privileges in the absence of
server-side protection.
"The open, malleable nature of Web 2.0 establishes a relatively easy target
for malicious behavior to compromise applications and overall network
security," said Khera. "However, AJAX is here to stay, being touted as the
technology to deliver a richer user experience with the potential to form
the future of Web application technology. By making the powerful
functionalities of Hailstorm applicable to Web 2.0, we allow people to
continue to leverage this flexible medium for the delivery of Web
application content in a more secure, authenticated manner."
Cenzic is the only company in the industry to have both a state-of-the-art
software solution, Cenzic® Hailstorm®, and a managed service,
ClickToSecure™, allowing enterprises the flexibility to use either
solution or both based on their needs. These offerings help companies
protect their web-based applications from potential security threats by
emulating the way real hackers work in order to test applications for
security vulnerabilities and compliance issues. Using a Stateful
Assessment™ approach, Cenzic provides companies with highly accurate
results without the "false positives" often associated with the
first-generation application scanners, as well as tests for session
management, application logic issues, and policy compliance for internal
policies and regulatory standards.