A 'Swift' Kick to the Secure Development ProcessA 'Swift' Kick to the Secure Development Process
New system makes it easier to write secure, robust, and high-performance Web applications
January 18, 2008
I’m not a big fan of tools that make it easy for mere mortals to develop fancy Websites. While I can’t say that the democratization of the Web is a bad thing, I think that there are some things that frankly should only be done by people who know what they are doing.
I could go into a long discussion about incompetent site developers, but I suspect that most security pros already know the problems of having "secret" data residing on the client side of the client-server equation, and cross-site scripting vulnerabilities.
Recently, while reading some papers from the 2007 ACM Symposium on Operating Systems Principles, I found a paper about a system called Swift. It was developed by a group at Cornell University, with the goal of making it easier for developers to create secure, robust, and high-performance Web applications.
There is a lot to Swift, so if you want the full picture, check out the paper in its entirety. I’m just going to highlight some of the important bits.
In addition, the system uses the Google Web Toolkit to handle the generation of the client code, which decouples the user interface from the critical security components of the system. Fixes to GWT, such as those required by the recent cross-site vulnerability will be transparently adopted by a simple recompilation.
Of course, this also means that the code is vulnerable to any bugs in the Web toolkit chosen, but the loose coupling of the front end toolkit allows the developer to choose a suitable client-side framework.
Swift is a really cool idea, but one that only real Java programmers will be able to use – which I consider a Good Thing. Further, the use of labels requires that developers specifically think about data flows in advance, which could actually do more for security than the Swift compilers themselves.
Do yourself a favor and send your development teams to check it out. Currently in version 0.9, with a license that doesn’t allow for commercial use, it is clearly not quite ready for deployment. But Swift – or something like it – needs to be part of your bag of tricks, and you’ll impress the pants off your developers by pointing them toward it today.
— Nathan Spande has implemented security in medical systems during the dotcom boom and bust, and suffered through federal government security implementations. Special to Dark Reading
About the Author(s)
You May Also Like
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Everything You Need to Know About DNS Attacks
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks