Cenzic Extends Support for AJAX Security Assesment Applications

JavaScriptSearch
Wednesday, May 24, 2006; 08:16 AM

Cenzic  announced that its automated vulnerability assessment solutions now offer full support for testing Web applications built using AJAX (Asynchronous JavaScript and XML) software development technology. AJAX support in Cenzic Hailstorm and ClickToSecure enables customers to take advantage of this application development technique to develop smoother, more responsive and intuitive applications without the associated vulnerabilities which have left AJAX-based applications increasingly susceptible to security threats.

Historically, the same simplicity that enabled the Web's growth as a communications medium also created a gap between the experience it provides and the experience users expect from desktop applications. AJAX has rapidly emerged as a prominent enabling technology in the movement to improve the Web as a platform for business and consumer applications. Using AJAX, web-based applications can be developed with the same power and efficiency of desktop applications, providing software developers a wide open platform for creating innovative new programs that do not rely on computer operating systems.

As a method of programming which combines several different tools -- including JavaScript, dynamic HTML (DHTML), Extensible Markup Language (XML), and others -- AJAX builds interactive applications for the Web which process user requests immediately. Web pages are more readily responsive by exchanging small amounts of data with an intermediary -- an AJAX engine -- located between the user and the server, rather than the entire Web page reloading each time a user makes a change. An AJAX application eliminates the start-stop-start-stop nature of the Web, thus increasing the speed and user-interactivity of web pages and web-enabled services.

"AJAX creates rich internet applications that can be leveraged for tasks across the board, such as updating and deleting records or returning simple search queries. This notion of the Web as a software platform provides an inviting, seemingly limitless medium which is already being leveraged by industry leaders such as Google and Microsoft," said Mandeep Khera, vice president of marketing for Cenzic. "However, AJAX-style applications present new Web application security challenges which are often not initially visible to application developers. We have always taken pride in responding to our customers' needs, and as some of these customers have started developing their applications using AJAX platform they want to ensure that the applications are secure. Cenzic solutions now provide for the automated and efficient testing for these applications."

Tied to the new opportunities presented by AJAX and related Web 2.0 development tools are an accompanying number of new security holes. By enabling more interactive Web pages that are interoperable with Web services, AJAX immediately increases the amount of XML, text or HTML network traffic and therefore exposes applications to Web services vulnerabilities. The complexities inherent to AJAX development leave the door open for malicious clients to send corrupted data, expose back-end applications that were not previously vulnerable, and allows unauthenticated users to quickly elevate their privileges in the absence of server-side protection.

"The open, malleable nature of Web 2.0 establishes a relatively easy target for malicious behavior to compromise applications and overall network security," said Khera. "However, AJAX is here to stay, being touted as the technology to deliver a richer user experience with the potential to form the future of Web application technology. By making the powerful functionalities of Hailstorm applicable to Web 2.0, we allow people to continue to leverage this flexible medium for the delivery of Web application content in a more secure, authenticated manner."

Cenzic is the only company in the industry to have both a state-of-the-art software solution, Cenzic® Hailstorm®, and a managed service, ClickToSecure™, allowing enterprises the flexibility to use either solution or both based on their needs. These offerings help companies protect their web-based applications from potential security threats by emulating the way real hackers work in order to test applications for security vulnerabilities and compliance issues. Using a Stateful Assessment™ approach, Cenzic provides companies with highly accurate results without the "false positives" often associated with the first-generation application scanners, as well as tests for session management, application logic issues, and policy compliance for internal policies and regulatory standards.