Five enterprise mashup security issues, and what to do about them

Industry veteran urges adoption of mashup security profiles to manage security in the wild, yet-to-be-tamed world of mashups.

Do enterprise mashups, which hands over control of front-end development to end users, represent a security risk? They don't have to.

Chris Steel, a 20-year veteran of the software security industry, says many of the security challenges associated with today's mashups can essentially be addressed by existing security approaches.

Here the five key patterns to consider when thinking about enterprise mashup security:

  1. Authentication to multiple backend services with different credentials, authentication protocols
  2. Authorization to multiple backend services requiring attributes from disparate sources
  3. Bridging point-to-point protocol security mechanisms such as SSL
  4. Extending compliance rules and regulations out to the cloud
  5. Understanding the implications of your data being used in new ways

Steel observes that with enterprise mashups, "we are confronted with one-to-many relationships, where clients will need to supply (and servers will need to manage) multiple credentials that will be passed to back-end services. In addition, the struggle of providing and enforcing authorization also becomes more challenging as you mash different services with different authorization requirements together in one application."

Steel advocates the adoption of "mashup security profiles" that encapsulating existing authentication mechanisms, as well as enable the storage of credentials across disparate backend services, manage the login sessions to those services.