When we talk about securing the Grid — it’s not just the pathways to the Grid applications that need to be secure, but the applications themselves.The more prolific implementations of Grid utilize web services in their core. Their hosted applications and mechanisms for accessing them are web services- based and are essentially web apps in and of themselves. As Grid becomes more mainstream, these types of applications and their availability will multiply. So how do we ensure that these applications can remain available to their intended users (often everyone!) yet maintain their use for “good” and not “evil?”Phil Janson, a program manager with Services Research Assets at IBM, describes the most common attack method that hackers use to get into applications: “The most frequent attack path hackers use to use stack overflows, buffer overflows, and memory overflows. They send a system an amount of information that is far larger than what the target is expecting. As a result, when the target reads that information, it overflows the memory reserved to read in that parameter, and so it overwrites some other data structure in its memory. If the hacker is clever enough to send the right content of the right length, it can cause the overflow to override a critical data structure, which causes the application to derail and transfer control to a piece of code contained in the parameter that was just sent. And if you can cause the target program to derail and transfer control to that program embedded in this parameter, you can make the target system do anything you want it to.”The purpose of these types of attacks is to transfer control from the original application to another rouge application. However, in the world of web services and web apps there is another potential for abuse. One that uses the original application as is, but not for it’s original intent. Take, for example, TinyDisk — a web app built upon TinyUrl. TinyUrl is a popular free web app used to take a ridiculously long url and hash it into a much shorter version for ease of use in e-mails, instant messaging, or anywhere where the potential for a multi-line URL and the possible insertion of new line characters might cause confusion. The hashed version is kept in a database and when accessed, redirects the accessing browser to the actual URL. TinyDisk uses the hashing algorithm and database of TinyUrl to store actual data. It is essentially a new web app built upon an existing web app that extends the use and original intent of that app. I used the word ‘extends’ — however, one could very well use the word ‘exploit.’ Can we be sure that TinyDisk will not overrun the databases and bandwidth of TinyUrl? The author of TinyDisk has put into place some safeguards for this, however, they can be easily circumvented.Is TinyDisk a hack? It is simply using a web app, used by millions (actually over 11 million according to the TinyUrl web site!) more or less “as advertised.”Security pros have been steadily releasing new tools geared towards preventing hacks into web services and Grid services. Janson, for example, recently released a ‘Web Services Interface Definition for Intrusion Defense’ tool that “flags any interface feature that could open a door to hacker attacks against that service.” According to Janson:“People get excited about security protocols and stuff like that. They tend to ignore input validation and dismiss it as something that any good programmer should do. But the trouble is that most programmers don’t … so you’ve got to give them tools to help them automate that step. Based on such tools, future Web and grid containers may do automated input validation on the fly on behalf of forgetful or negligent programmers.”With conventional operating systems and applications it can sometimes to be difficult to prevent a hack, however a hack is usually pretty easy to recognize. In the new world of web services and web apps this may not be so clear. Technology Industry