AJAX, the wrong tool?
March 13, 2008
Some developers view AJAX as the best view for every scenario, however from my own experience AJAX introduces its own set of drawbacks, and we should take care before we start on using this technology, we can summarize these drawbacks in the following points:
Additional development time
Learning a new technology like AJAX makes its own delays before properly understanding and using it.
An extra time would be needed when we consider what to do when a user has disabled JavaScript support within their browser, this would require additional development time to deliver an alternative solution (using the NOSCRIPT tag).
No browsing history, means Back/Forward buttons become useless, so the users are unable to easily bookmark or navigate to and from the app. using the browser’s buttons, there are some JavaScript libraries provide a way to build such functionality, but it will add development time and testing.
In addition, when developers jump on the AJAX, you should make sure they don’t use it for everything, so you won’t lose time fixing the application up eventually.
Accessibility
AJAX makes the browsers act in a way that is different than its original design, like we said, Back and Forward buttons no longer work as expected, and there is no URL for some AJAX content, you will have to take all this into your consideration while designing your AJAX application.
Discoverability
Search engines like Google requires a page URL and use words on the page as one of the aspects of its approach to ranking pages. search engine spiders do not load a page and execute its JavaScript, this can lead to lose visitors, but it will not be an issue for internal intranet applications.
Security
while JavaScript is a mature language, it does have security holes that must be considered regardless of whether you’re using AJAX, sever-based security measures can be used to block such problems.
also the issue of cross-site scripting (XSS) is more recognized with AJAX, as script may run in the background and access resources without user knowledge, given these possibilities, all data must be protected to avoid malicious activity.
and finally, make the good decision
All have agreed a hybrid approach is usually the best solution with AJAX, there are times when AJAX is applicable, and there are times when you should use another approach.
what problems have you encountered during developing AJAX-based application? share your experience..
CriticalSites has announced two new security products
November 16, 2007
today CriticalSites has announced two new security products on their website, Total Account Controller (TAC) and Service Account Controller (SAC)
Total Account Controller (TAC)
As the size of your network grows it becomes impossible for your network administrator(s) to effectively manage all these machines manually as well as organize their passwords changes.
Since effective management of windows local accounts is critical to your company’s information and thus to the success of your business. CriticalSites Total Account Controller (TAC) is the solution to the simple and efficient management of local windows accounts.
Service Account Controller (SAC)
Everyday storage professionals are peppered with a hail of security warnings about imminent threats. Organizations don’t know what to work on first, and no one knows how secure they “REALLY” are until their security has been breached; by then it’s too late. It is almost impossible to quantify how secure your Network is.
What is needed is a Metric, something that can measure the relative vulnerability of your entire network against a benchmark you create. A consistent measuring stick empowers your organization to measure both its successes and its failures.
Most importantly, measuring against a standard allows your organization to continually minimize its risk by empowered incremental process improvements over time.
Service Account Controller through its “Risk Index” provides both the metric and the means by which to measure.
Individual AppPools vs. Shared Pooling
October 2, 2007
Many hosting companies have based their windows-based hosting environments on the concept of shared application pooling, by sharing AppPools those companies achieved server densities similar to those seen on Apache (Linux/Unix). But for any customer with a website that processes credit card information directly, or has proprietary scripts, this is really a significant problem. their sites share a security identity with the other sites in the same AppPool. A developer – using a coding technique called “RevertToSelf” – can view the code (in read-only mode) of all of the sites within the same AppPool.The problem this causes for the customer is that their site is not secure. the more things that can go wrong or cause the sites within that AppPool to crash – like the famous pooling crash between ASP.NET 1.1 and 2.0 – the more customers who will be affected by such a calamity.
Read more:
configuring Application Pools in IIS 6.0
running multiple ASP.NET applications
Don’t lose your laptop
September 16, 2007
the laptop became one of the most priceless tech pieces we have, and securing it is one of our top concerns, there are two sides when it comes to the laptop security, one from the physical perspective and the other from the software/data perspective, just imagine how much it would cost you if you have lost your laptop just now, I bet you gonna be sick for a while, especially if you are storing some sensitive information whether it was your personal or your company’s sensitive information and add on this if you didn’t make backups on the right dates, here are some tips you can take to protect your laptop.
Encrypt your data: full disk encryption provides good protection as everything on your hard drive is protected and you don’t have to worry about saving them to a particular location, for the windows xp users there are many third party software available on the market just Google them, for the windows vista users may be you should consider using BitLocker drive encryption software. for the storage hosts, there is an exclusive encryption software by NTP Software the worldwide leader in the storage management, NTP Software Encryption Sentinel allows the organizations to designate sensitive data on their storage hosts and it then ensures that this data can only be copied to or read by an encrypted client.
Use a firewall software: many laptops often spend time outside your company firewall, so they will lose the important protection of those devices, especially if you are out using an unsecured wireless network a firewall will help to keep your laptop from being subject to attack.
Use a tracking software: you properly want your laptop back, it’s installed on undetectable location on the laptop and can’t be erased. each time the computer connects to the Internet it reports to the recovery software company, the company tracks down the physical location of the laptop and then notifies the authorities. if you have succeeded to recover the hardware you can’t be sure that the thief didn’t compromise your data, some tracking software includes the ability to remotely delete information from the laptop as well.
Disable windows services you don’t need: each service that runs on your laptop increases the attack surface, especially services that listen on particular ports, to help further protect your laptop disable any services that you don’t need to do your job.
Say no to WEP in your wireless network
August 8, 2007
if you started to read this post so properly you would have a wireless LAN in your home or office, so you will need to know the truth about the Wired Equivalent Privacy (WEP), some of us know that it’s not secure enough but still don’t know why, and what would be the alternatives in case we didn’t use it!
The WEP has been designed to protect a wireless network from eavesdropping. however, it has significant vulnerabilities, and it’s dead couple years ago, but there are still some manufacturers supporting it in their products, last year I’ve published a paper about the security risks of 802.11 that illustrates the weakness of the WEP in details, you can download it from the following link:
Security Risks of 802.11 – July 2006
Weak Encryption Protocol: WEP major flaw is its use of static encryption key, the encryption standard isn’t the problem, it uses RC4 to protect the confidentiality, however, every device uses “one key” to encrypt every transmitted packet, this means an average hacker using simple wireless hacking tools like aircrack or Linux BackTrack WEP cracking tools, eventually can figure out the key.
Switching to WPA: there are several versions of Wi-Fi Protected Access (WPA) available today, the easiest and the most widely supported version is the WPA Pre-Shared Key (WPA-PSK), you have to configure your router with a plain-text pass phrase between 8 and 63 characters long, using an encryption protocol called Temporal Key Integrity Protocol (TKIP), WPA uses that pass phrase along with the network service set identifier (SSID) to generate unique encryption keys for each wireless client. Those encryption keys continuously change at the beginning of each transmitted frame. It’s not the most secure protocol but it’s much better than WEP and harder to break although I didn’t see any researcher has broken it yet. If you can use WPA2 (which uses AES) then use it. when it comes to security and encryption standards, using the latest standard is always a good thing.
