"Rough Cut" of To-Be-Published Ajax Security Available From Addison-Wesley Professional

July 31, 2007; 06:00 AM

S.P.I. Dynamics, Inc. (http://www.spidynamics.com/), the leading provider of web application security assessment and testing, today announced the newly released "Rough Cut" of the forthcoming book Ajax Security, to be published by Addison-Wesley Professional. Ajax Security marks the publishing debut of SPI Dynamics' leading web application security experts, Bryan Sullivan and Billy Hoffman.

Rough Cuts, from Safari Books Online, allow readers to gain access to portions of a book as it is being written. For information on how to access Ajax Security, please visit: http://safari.awprofessional.com/0321524403. For more information on Rough Cuts overall, please visit: http://safari.informit.com/roughcuts. Ajax Security is scheduled to publish in late 2007.

Ajax (Asynchronous JavaScript and XML) is a method of building interactive applications for the web that processes user requests immediately. Ajax Security, a hands-on, practical primer for professionals who want to prevent Ajax-related security weaknesses, exposes the minefield of vulnerabilities inherent in the Ajax framework and provides a guide for software developers to safely navigate through its complexity and create a secure application. Ajax Security will also benefit quality assurance and security penetration testers who want to find vulnerabilities in the Ajax applications they test to secure them from potential attacks.

Each chapter begins with a myth about Ajax security which in turn is debunked. Throughout the book, readers can find case studies of actual exploited Ajax vulnerabilities to illustrate key points. The authors also provide specific recommendations for securing Ajax applications for each of the major Web programming languages (.NET, Java, and PHP) as well as for the popular new language, Ruby. Readers will become familiar with the security issues of the Web 2.0 world as well as learn how to create secure mashup web sites; will learn how to identify vulnerabilities that may be lingering in current code; and receive recommendations for keeping new security vulnerabilities out of code.

"Ajax applications combine the best usability aspects of both traditional web applications and desktop applications," said Sullivan. "Unfortunately, they also suffer from the same security issues that affect both platforms. Ajax really is a 'perfect storm' of potential security vulnerabilities."

"Ajax applications run more code on the client than traditional web applications. This provides an attacker with all kinds of insight into how Ajax applications function, such as what web services it talks to, the function names and variable data types, as well as the control flow of Ajax applications and how data is stored," said Hoffman. "Offline Ajax applications built on top of frameworks like Google Gears or Dojo are even more susceptible to these data leakage issues."

Hoffman and Sullivan will co-present a talk titled, "Premature Ajax-ulation" that focuses on the security issues within Ajax applications at the upcoming Black Hat USA 2007 conference in Las Vegas, NV, August 1-2. The talk is scheduled for Wednesday, August 1st from 3:15 to 4:30 p.m. PT. In addition, a free chapter and the Rough Cut version of Ajax Security will be available to conference attendees in the SPI Dynamics booth (# 9).

About the Authors

Bryan Sullivan has been a professional software developer and development manager for over twelve years, with the last five years focused on the Internet security software industry. He is a frequent speaker at industry events, and a published author on various topics related to his research in application security. As a Senior Security Researcher for SPI Dynamics' SPI Labs, Bryan is well-known for his expertise in applying security in development and Ajax technology. He was involved in the creation of the Application Vulnerability Description Language (AVDL) and has three patents on security assessment and remediation methodologies pending review. He is a graduate of the Georgia Institute of Technology with a BS in Applied Mathematics.

Billy Hoffman is a well-known researcher in the web application security arena, and a known expert in Ajax security. As a Lead Security Researcher for SPI Dynamics' SPI Labs, he focuses on automated discovery of web application vulnerabilities and crawling technologies. He is a frequent guest speaker at industry events and his work has been featured in various magazines, journals and web sites. In addition, Billy is a member of the Web Application Security Consortium (WASC) and has three patents on web site assessment techniques pending review. Billy is also the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. Billy is a graduate of the Georgia Institute of Technology with a BS in Computer Science.

About S.P.I. Dynamics, Inc.

SPI Dynamics' comprehensive suite of products and services identify and remediate web application and web services security vulnerabilities throughout the application development lifecycle. These award-winning solutions also enable security professionals, QA testers, and developers to work together to verify compliance with 22 security policies such as SOX, HIPAA and PCI. SPI Dynamics has the most application security testing customers worldwide - over 1,000 clients among Global 2000 enterprises, including four out of five of the world's largest banks and nine out of 10 of the largest banks in the U.S., four out of five of the largest software companies, three out of four of the largest aerospace and defense companies, the four largest accounting firms, the five largest telecommunications companies in the U.S., six out of eight of the largest technology hardware and equipment companies, two out of three of the largest healthcare companies, and over 90 U.S. Federal agencies. The Company is one of the fastest growing in the security industry, ranked 83rd on Deloitte's "Fast 500" list of growing technology companies nationwide and 220th on the Inc. 500. SPI Dynamics has strategic partnerships with Microsoft, IBM, HP and Visa. The Company's R&D team, SPI Labs, is widely recognized as one of the leading authorities on web application security and risk management. For more information, visit http://www.spidynamics.com/ or call (866) 774- 2700.

About Pearson Education

Addison-Wesley, Prentice Hall and Sams Publishing are respected publishers of quality computer science and engineering books and software for technical professionals. They are units of Pearson Education, the global leader in educational publishing, providing scientifically research-based print and digital programs to help students of all ages learn at their own pace, in their own way. Pearson Education is part of Pearson (NYSE: PSO) , the international media company. In addition to Pearson Education, Pearson's primary operations include the Financial Times Group and the Penguin Group.

Product or service names mentioned herein are the trademarks of their respective owners.