AJAX (Asynchronous JavaScript and XML) may be popular for building Web applications, but it is still beset with security issues, experts agreed at the AJAXWorld Conference & Expo in Santa Clara, Calif. on Tuesday evening. AJAX does not change Web security, said Billy Hoffman, lead risk researcher at SPI Dynamics. “It makes traditional Web attacks much, much worse,” Hoffman said. Intrusion detection systems are ineffective for this problem and SSL also can be of no help, he stressed. Hoffman also cited issues with inexperienced developers building Web applications. Hoffman presented a litany of potential security issues with JavaScript and AJAX, including the use of user-supplied content, cross-site scripting and rapid application development. Web services calls also can be a hazard, according to Hoffman. Web 2.0 and potential profit are driving the quick development of applications, presenting risks, he said. “There’s this rush to Web 2.0-ize all these apps with no thought,” said Hoffman. The question needs to be asked about potential exposures of an AJAX application, he said. “Information theft in JavaScript is amazing,” Hoffman said.(While I was unable to stay through Hoffman’s entire presentation to find out what can be done to secure AJAX applications, I did ask Jesse James Garrett, the IT consultant who coined the term, AJAX. His prognosis was not much better.) “Honestly, I think that we haven’t discovered all the holes yet,” Garrett said. “Exploits will be discovered and people will find ways to patch them,” Garrett added.Also at AJAXWorld, IBM on Wednesday will announce technology contributions to the open source community, with the intention of speeding the adoption of Web 2.0 in the enterprise. Featured as part of IBM’s contributions are enhancements to the Eclipse Foundation AJAX Technology Framework (ATF) and the Mozilla Foundation. The company plans to generate AJAX as part of the JSF Tools (JavaServer Faces) in the next release of IBM Rational Application Developer, due later this year. Contributions to ATF allow clients to deploy and debug AJAX technology on any Web server, including IBM WebSphere, Tomcat, JBoss and BEA WebLogic. Ease of use and simplified creation assets have been updated to enable the addition of AJAX support to existing products so applications do not need to reside in Eclipse. Also, developers can type in a Web address within ATF and begin debugging applications. Developers also can change Cascading Style Sheets and DOM (Document Object Model) properties with live rendering in a browser. The Mozilla foundation, meanwhile, has updated its toolkits with IBM contributions. IBM’s technologies allow ATF to debug AJAX applications running ATF that utilize Mozilla’s XulRunner Rhino embeddable browser code, IBM said. This creates a more efficient Firefox browser for AJAX development, according to IBM. The company also is opening a Web development zone on its developerWorks site. Technical resources are featured for AJAX, PHP (Hypertext Preprocessor), RSS and Ruby. Web development frameworks such as Spring, Shale, Struts and Tapestry also are featured. Software Development