Email	Print Reprint
	add to:
	Del.icio.us Digg Google Furl	Slashdot Y! MyWeb Blink
	TABLE OF CONTENTS Home Unsafe At Any Speed And I Get What For All This? The Rest Of The Story AJAX Alternatives Mashup Alternatives Adobe Flex/Flash Alternatives

Unsafe At Any Speed

More than half of readers responding to our recent SOA reader poll didn't have comprehensive security in place--heck, 33 percent had no strategy whatsoever to protect their Web services infrastructures (see "Marshall Your Web Services" at and "NWC Analytics: Strategic SOA Management").

With a foundation like that, good luck trying to lock down Web 2.0 applications. Ajax and REST have a higher requirement for traffic validation than the more narrowly defined SOAP, which is constrained by well-defined XML schemas and WSDL-based contracts. Ajax data flying back and forth between browser and server is rarely predefined by a schema, and in cases where development has occurred using toolkits like those from the Dojo Foundation, IT may not even have control over those formats!

And yet, you need to secure and validate data, for the safety of both the client and the server. You also must monitor and manage traffic to understand the load on your network, which will get a workout once Web 2.0 technologies are deployed. Even if bandwidth usage doesn't increase, the number of requests your Web and application servers will need to support it will go up. And this load will cascade, putting an additional burden on just about every piece of Web application infrastructure in your data center.

Goals Click to enlarge in another window

SOA security gateways offered by Forum Systems, IBM-DataPower, Layer 7 Technologies and Reactivity have long been capable of securing SOAP, but out of the box they're less adept at dealing with generic Ajax and REST traffic. Problem is, they can't use the industry-standard WS-Security to lock down Web 2.0 apps because, by default, neither Ajax nor REST understands SOAP--a requirement for WS-Security.

Fortunately, SOA security gateways are, for the most part, capable of protecting any XML-based data and will keep malicious attacks, such as SQL injection and cookie poisoning, from being injected into Ajax requests. Most can validate Ajax if a schema exists, or at least ensure that the data is well-formed (see our review of one such offering at "XML Threat Defense"). Most products in this market are capable of extracting credentials from XML messages using XPath, but discuss this option with your chosen vendor before signing on the dotted line.

A less expensive source of protection against attacks injected into XML traffic are standalone XML firewalls, such as Forum Systems' XWall and Reactivity's XML Firewall. XML firewalls are one component of the SOA security gateway that should be implemented, even if a large SOA initiative isn't in your future.

It's The Components, Stupid

The advent of Web 2.0 technologies raises the bar for Web analytics as well. The old paradigm of analyzing Web site usage by page views just doesn't work with Web 2.0 technologies like Ajax and Flex/Flash.

As is true with other service-oriented technologies, log-culling apps are unable to provide thorough analysis of Web 2.0 sites. And, very few Web analytics products in use today can accurately provide a picture of component usage--counting page views isn't enough anymore. Each component essentially acts like its own page within an application, so page-oriented Web analytics apps are woefully unable to accurately measure the use and effectiveness of Web 2.0 technologies. The page (the application) is loaded once, but its components (such as combo boxes, lists or tables) may load data multiple times throughout a user session.

Omniture is one of the few Web analytics vendors to have addressed this issue. Through instrumentation, its SiteCatalyst can provide detailed measurement and usage statistics of Web 2.0 components, for both Flex/Flash (through ActionScript) and Ajax (through JavaScript). This measurement and monitoring is critical to understanding the value your customer base places on Web 2.0 components--the data provided by such systems can indicate whether the new additions are hindering or enriching the user experience, provide metrics on the most popular components on your site, and assist in determining whether the ROI on your Web 2.0 investment has panned out as expected.

Previous Page | 1 | 2 Unsafe At Any Speed | 3 And I Get What For All This? | 4 The Rest Of The Story | 5 AJAX Alternatives | 6 Mashup Alternatives | 7 Adobe Flex/Flash Alternatives Next Page

RELATED ARTICLES No Related Articles		TOP 5 ARTICLES No Top Articles.