Significance of the 'death of the document web' to security

  I'm not n the habit of making predictions for the next year, because they're almost all obvious and usually wrong when not obvious - but this is one post that I feel I need to write because while it is a prediction ... it's not so obvious.  You'll have to let me know what you think.

 

  I've been thinking about where the Internet as we know it will be evolving to a lot lately, given the technology space I work in and the type of research going on around here at HP ...but one really interesting theme lately has been this heralding of the "Death of the Web" ...or put more accurately - the "death of the document-based web".  This article on GigaOM by Dominiek ter Heide caught my attention... because it was actually a really good, rational explanation of what I completely agree with is in the process of already happening.

 

  I really like how Dominiek defines the future role of a modern web server as a machine-machine interface rather than a human-machine interface...

 

"Today’s Web server is increasingly becoming a data hub that provides connectivity and data synchronization between different client apps. This data hub is becoming much more like a Machine Interface as opposed to a User Interface. It might still render some dumb static HTML pages for the Google Bot, but as any site owner can see in their statistics, traffic from traditional search engines is increasingly being eaten by Twitter and Facebook — or rather, the real-time social Web."

 

  I've highlighted the most interesting part of this quote for you, because there is great significance there for those of us in Information Security and its derivatives.  Even as I pop open Google Chrome one of the more prominent features is the Chrome Web Store, which has applications which run entirely inside your browser - exclusively using web-based technologies and some don't even require an Internet connection to be present.  All the great features of the HTML5 explosion are starting to become present - the big question is are we ready?

 

  If you think of your web server as not serving "web pages" anymore, but rather data, often through JSON style formatting (that is, without context, or much else for that matter) the 'attack surface' of your enterprise begins to look different.  Those developers still hoping for security to come from the application ("web app") itself are in for a cold splash of water - because odds are the APIs you expose, and the data you share are just as likely to be accessed by your application as by something else that is consuming your data and APIs.  Think about that.

 

  It feels strange ... almost as if we're returning back to the days of thick clients.  Well, not exactly though, because these semi-thick apps live inside the ultimate thick-client app - our browser.  The problem is that now we have too many choices again, and whereas JavaScript + CSS + HTML was almost a standard across all platforms, now we're going back to writing apps for specific applications again.  Android, iOS, BlackBerry, the desktop (Apple, Microsoft, Linux ... ) are all valid platforms that come with their own quirks and perversions of the word standard ...then again what does that even mean?  Is it a standard if no one follows it?  So how does any of this relate to information security, you're thinking?

 

  Information Security has just started getting comfortable with profiling, analyzing, and defending web-based applications which are served up from a web server, consumed (mostly) by a human, and used in a browser through some almost-standard means.  Hang on tight because the world has just taken a sharp left and if you haven't buckled in you're bound to be thrown from the bus.  Do those Web Application Firewalls you've taken 3 years to implement do you any good in this new world view?  Is your code review and penetration testing process of releasing new web apps account for no interface for you to test?  If you've been practicing good security all along in the software development world - odds are you're not going to have to make any ground-breaking changes ... but if you're where the other 99% of the population is you may want to get out ahead of this one.  This bull is coming fast... check your mobile handset for proof.

 

 

Example


  Since someone asked in the comments for an example of a "server is acting as a data hub or machine interface, versus acting like a user interface" I thought I would give one here for clarity... if someone has a better one than what I've come up with, please share...

 

  The example that pops up in my head immediately is FaceBook.  As people move away from using the website directly (going to www.facebook.com in your browser) and move more to mobile device app-based access of the FaceBook Application on Android or iOS the human no longer interfaces with the web server itself, but rather with the app on the local device.  The app then makes AJAX-style API calls presumably using JSON or some other format to shuffle data to and from the mobile FaceBook application.  The web server then becomes a data hub or data interchange rather than a user interface ...meaning it doesn't serve up web pages anymore, but rather data for the apps to use locally.

 

  I hope this example makes sense, and is clear.  There are examples of this popping up all over the place, with apps like TripIt (one I use every day) on my iPhone/Android mobile handset, and even the games that I used to play on a web site are now played locally through an app that communicates to the web server on my behalf.  Isn't technology wonderful?

Comments
Bshane(anon) | ‎12-29-2011 10:57 AM

Thank you for the thoughtful article. I kind of  understand it. Could somone give an example of a situation where a server is acting as a data hub or machine interface, versus acting like a user interface?

 

As for security, is there anything users should be doing to respond to changes in the way we use the web? Many thanks.

Rafal Los (Wh1t3Rabbit) | ‎12-29-2011 12:34 PM

Bshane: As far as security goes, and what changes should be made ... I plan on doing another post on that but let me quickly touch on it here...

 

I feel like the most important thing security can do is start to understand that the technology shift is happening, and embrace it.  We need to embrace agile development and its crazy cousins because this is where the shift is happening as well with rapid development, continuous release cycles and the like.  I tend to believe that there are also going to be differences in the way the actual bits move around, so analysis techniques and technologies will need to shift, change and adapt - but I don't want to spill the beans on that quite yet :)

 

Stay tuned, and thank you for posting the comment.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation