In the last 3 months there have been 11 million articles found by Google that have been written about Ajax security.
That’s a lot of good work going into checking out the security and developer implications of a technology. Unfortunately the quality of those documents (including mine by the way) makes fishing through those documents trying to find answers to something if fairly difficult. The Google search for this is here, and it is difficult to work out quality articles amongst the standard fair of articles that are re-released or paraphrased from other articles until the original article gets buried in the noise of all the reprints.
One of the issues that any security researcher or engineer has to work through is how to weed through the noise and find the really good articles, and here are the ones that I found that answered the question, “is there any really new research in Ajax security in the last 90 days”. The problem is that we are still looking at the academic view points or post fact hacking attacks (mostly MySpace, Google, and other early adopters of Ajax) in the documents that are available.
While there are books at Amazon dot Com (here) the web articles seem to be very few and very far between. The articles that are available are ones that have little information of any real use to the Ajax security researcher, and the amount of copying over from forum to forum on them has proved to be interesting. A small group of folks have written some very good authoritative work, that gets picked up by many of the Ajax forums and blog sites, but its all starting to get dated.
Many of the books at Amazon are good, but not recent (as in the last 90 days recent) nor are the articles on the web. Did we flash in the pan for a cool technology then go back to where we were waiting for our developers to come up with some really good Ajax stuff, or are we just waiting for the next Ajax exploit so that we have something that the security folks can get their hands on?
Personally I think there is more to Ajax than we have written about, the problem is writing about it. Some of the best material is coming out of SpiDynamics, and some of the Ajax developer boards, but have not been picked up by Google or the other search engines yet. The best Ajax developer information I have been able to find is:
Max Kiesler – with his 24 tutorials on Ajax, good stuff and worth checking out.
CGI Security – the entire section on Ajax seems to represent a really good cross section of information on how to write and secure Ajax
The Ajaxian – have over 250 articles on Ajax, how to write it, how to secure it, and is a really good reference for both security and developers who are into Ajax
A new tool (out in August 2006) that looks really promising for security engineers is SpraJax from the Denim Group. The other really good tool is going to be Web Inspect from SpiDynamics (which I do use on a frequent basis). Both have really worked hard to incorporate Ajax security into both of their tool sets. SpiDynamics is pricy, but well worth the cost if you have to scan a lot of web sites on a regular basis.
Otherwise, there is really no real good information out there that is easy to find in the world of Ajax security. If you know of other resources, please make your resources known, there is not a lot of really good authoritative data out there, and the more the better.
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.