As I have posted previously, web applications that use mashup technology face a number of hurdles that must be overcome so that they can function as effectively as possible as often as possible. I have previously discussed the problems that come from ill-designed screen scraping scripts and the copyright issues surrounding the information being mashed. In this blog post, I am going to take a look at the problems mashups can have with privacy and security, that can threaten both the system providing the mashup data and the systems using the mashup data, as it is outlined in the above linked article from the IEEE.
As the article linked above explains it, there are a number of ways that mashups can suffer from security and privacy issues. Firstly, many mashups are essentially “black boxes” that don’t immediately reveal all the aspects of how they function to the user, and thusly are difficult to trust with important information. Secondly, the ease of use provided by mashups also brings an element of instability (since a program is made of many interlocking parts that may not always be made to work together) and thusly could expose systems to security risks that exploit these potential instabilities. Thirdly, many mashup services rely on the transfer of data between the program and the cloud, opening up potential new areas of danger. The article also brings up a host of other issues that affect security and privacy, such as the questionable trustworthiness of the data given, the copyright issues behind the data (as previously explained in a different blog post), potential information leakage from monitoring connections, the possibilities of distribution of sensitive information to unauthorized users, and how mashups can make data even more sensitive by grouping all of it in one place.
After reading this article, it appears to me that mashups desperately need a formal system of review, in order so that they can be evaluated for potential issues before they arise. Any company that wishes to implement mashup based applications will need to create some sort of review process to take a look at all the pieces they plan on using, how they work together, and potential weaknesses that come from using mashups as opposed to building the program from scratch. I have been of the opinion for a while now that when one builds a piece of software, one should do it well or not do it at all, and in order to do that, I feel that one should evaluate everything one is doing to build the system, including all the pieces used. Otherwise money and time is wasted and extremely sensitive information could be lost or stolen.
So, what do others think about the risks to privacy and security posed by mashups? How do we solve these problems? How closely should we look at the software and data being used by our programs? Does taking the time to sit down and examine these programs closely cost too much for what is gained?
-Noel Hansen.
No comments:
Post a Comment