AJAX Security in the Web 2.0
June 19, 2006
I recently received a support email from a client who was concerned about our security in reference to two articles he had read on internet security with regards to the Web 2.0.
The second article was about how AJAX can amplify security threats if you are not careful.
Here is part of my reply:
Thank you for sending me links for those articles. I have just read through them. FreshBooks does not use AJAX for e-mailing or sending/creating data, so the majority of the vulnerabilities described in those articles do not apply to FreshBooks.
However, those articles serve as a good wake up call for where we are headed in the future: Social software.
As one of the article states:
“While AJAX by itself doesn’t create new security risks, it has a tendency to amplify the seriousness of several well-understood threats…”
In FreshBooks, we use AJAX functions in controlled and confined situations such as using a coupon for an upgrade or retrieving your invoice item data. The data flow is always for information retrieval. As a result, there is no medium to amplify any threats that could exist. While we expand our online application to more community base software, this is something we will be increasingly considering.
For those of you who are concerned about security and backups, I can assure you that your financial data is very well protected. Our server is hosted by Rackspace, the leader in managed hosting with clients such as the US Marines, Pfizer, General Electric, Cisco, Sony Music, and Hershey. They are based in Texas and we have in place a number of procedures to prepare for a major disaster.
Your data on our server is backed up daily and weekly. The backups are transferred to a separate facility located in several locations and a long distance from our data center. In the event of a disaster at one of our data centers, your data is protected and we have a plan in place to restore a new server in a different location with the backed up data. Our databases can be restored within 24 hours.
Don’t forget that we believe that you own your data, so you can always export your data in your reports to CSV/EXCEL spreadsheet and keep your own backups.
If you have any questions or concerns regarding our security or backups, feel free to post them.