Setting a New Web-Standard with OAuth for Secure API Authentication Current trends in information architecture, the development of user-provided information and the use and combination of single function focused applications show that the Internet is shifting to a medium that is more and more structured with a decentralized authority.

• TnT 2.0 - Exploiting the Limits of Traditional Media

Instead of using a single site for all online needs users use different sites and services to manage their online experience applying state of the art Data APIs allowing aplications to access their data. Making use of a Web-standard like OAuth for secure API authentication gives your users access to their data while protecting their passwords and other protected areas. From OAuth:

"Many luxury cars today come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will not allow the car to drive more than a mile or two. Some valet keys will not open the trunk, while others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using your regular key to unlock everything."

Here is a short demo of what it means to end users:

While reviewing one of the latest Google innovations, Google App Engine, which lets one run Web applications on Google's infrastructure with no servers to maintain I found it worth to mention OAuth as an open standard for secure API authentication - OAuth is now supported on all of the Google Data APIs. Being familiar with UML or sequence diagrams it's easy to understand the Google data API authentication process. More on Google Data APIs blog.


Resources:

• Beginner’s Guide to OAuth – Part I
• Beginner’s Guide to OAuth – Part II
• OAuth Authentication for Web Applications (Google)
  
• Registration for Web-Based Applications (Google)
  

Labels: apis, bizdev, cloud, google, mashup, networking, oauth, security, strategy

  ¶ 'Setting a New Web-Standard with OAuth for Secure API Authentication' posted by eA : 11:23 AM  0 comments links to this post

  Handling Open Web Application Security As the market dynamics change digital business is quickly becoming the method of choice for any enterprise to offer products and services on-demand to their market applying next-generation information infrastructures with AJAX as an ideal partner to complement modern SOA architectures.

But moving applications to the Web also brings up a lot of questions how to deal with security issues. The OWASP is an open project and a community to help make informed decisions about Web application security risks. In 2007 the most serious web application vulnerabilities (as PDF) were:

1. Cross Site Scripting (XSS)
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross Site Request Forgery (CSRF)
6. Information Leakage and Improper Error Handling
7. Broken Authentication and Session Management
8. Insecure Cryptographic Storage
9. Insecure Communications
10. Failure to Restrict URL Access

For the most prevalent Web application frameworks and especially for open source development, where open source software became the most prominent face of open source the OWASP project represents an excellent ressource to stay informed and make decisions about application security.

The project also provides a comprehensive guide to build secure Web applications and Web services and many recommendations also for projectmanagers, application owners and of course C-level executives.

Labels: ajax, bizdev, security, soa, web2.0

  ¶ 'Handling Open Web Application Security' posted by eA : 12:24 PM  0 comments links to this post