Expert: AJAX isn’t the security problem

We at InfoWorld are pretty excited about AJAX, which is why we’ve been looking at both the technology and specific tools for quite some time. (Our most recent roundup of tools came out just this week, in fact.)

But as with any relatively new technology, it’s important to keep security in mind. (Actually, that case can be made for just about any technology, can’t it?)

AJAX has gotten a bad rap by some experts and techno-pundits as being potentially insecure. For example, Billy Hoffman, lead risk researcher at SPI Dynamics said at AJAXWorld Conference and Expo last month that AJAX and Java presented a litany of potential security issues with JavaScript and AJAX, including the use of user-supplied content, cross-site scripting and rapid application development.

Presenting a counter to that argument is Jeremiah Grossman, founder and CTO of WhiteHat Security. Earlier this month, Grossman published an article titled “Myth-Busting AJAX (In)security.” In it, he argues that AJAX isn’t in and of itself a security risk:

“AJAX technology makes website interactivity smoother and more responsive. That’s it. Nothing changes on the Web server, where security is supposed to reside. If that’s the case, then what is everyone talking about? Word on the cyber-street is that AJAX is the harbinger of larger attack surfaces, increased complexity, fake requests, denial of service, deadly cross-site scripting (XSS), reliance on client-side security, and more. In reality, these issues existed well before AJAX. And, the recommended security best practices remain unchanged.”

He makes some interesting points in his article. Developers and IT security folks: I suggest you check out his article.

What do you think? Is AJAX in and of itself a security risk?