Forrester Research analyst Mike Gualtieri worries that developers are not adequately accounting for third-party services and APIs in their threat modeling of Web applications. “Developers are not adjusting,” he said. “They are just passing credentials and not worrying about it.”
Several experts offer suggestions for dealing with the additional threats posed by today’s mashup applications. For example, Max International CTO Jeff Hanson explains the need for client-side and server-side validation frameworks that compliment each another. “Because client-side validation can be circumvented quite easily, a comprehensive and complementary server-side validation provides another crucial component for protecting data and processes.”
Benjamin Jun, vice president of technology at Cryptography Research, adds that authentication becomes a greater challenge in mashups: “First, the enrollment process for credentials on a social networking Website is very different from getting enrollment credentials for online banking. This means that there may be gaps in trust across authentication systems. Secondly, identity and access management is complex – particularly when considering the three R’s of corner cases: redirects, renegotiation and reconnections. Developers who use authentication API’s are usually forced into using their partner’s API, but can try to avoid (or at least take great care) when using those modes.”
