January 21, 2013

Facing HTML5 Security Threats

Websites and apps are quickly adopting HTML5 for its richer user experience. HTML5, the fifth revision of the HTML5 markup language, CSS3 and a series of JavaScript APIs, enables developers to create apps and websites with the functionality, speed, performance and experience of desktop applications.

According to a recent McAfee Labs report, 74 percent of users in North America, 72 percent in Asia and 83 percent in Europe use browsers that support the majority of HTML5 features. HTML5-based applications are increasing in number, with major players taking advantage of freedom from app stores and improved cross-browser and cross-device compatibility.

However, HTML5 also brings security threats. Because technologies such as HTML5 and WebRTC are reducing the requirement for plug-ins, there will be a reduction in exploits focused on plug-ins, but now there are more opportunities for attackers because the additional functionality will create a larger attack surface.

I recently spoke with Dennis Holmes, director of mobility and infrastructure solutions at Internetwork Engineering, a provider of technology solutions spanning three distinct architectures – data center, collaboration and intelligent networks – about the increase in security threats and how the company works to face them.

“HTML5 has some particular vulnerabilities,” explained Holmes. “Those threats are potentially there, leaning heavily on MDM and risk management companies to develop malware solutions that are going to be able to strengthen and harden those operating systems, but we’re really sticking to hardened operating systems. We’re putting rules through the identity services engine that say when a person can connect to network assets – not just when, but where.”

According to Holmes, traditional mobile device management has always worked in the past, but with new vulnerabilities, companies have to depend more on third-party applications. Internetwork Engineering partners with Fixmo, a provider of mobile risk management solutions to verify the integrity of mobile devices an apps, protect them from private data loss, monitor and track regulatory compliance and enable users to prove it through enterprise reporting and audit ability.

“The thing I like about them is they not only secure the data and provide security for the mobile device, but they also have audit ability. They have an audit report that is generated up to every 10 minutes on the device, so at any point and time you can tell when the device has been breached.”

In addition to an audit trail-capable reporting solution, there is also a selective wipe feature available.

“If I’m a healthcare professional and I work at three different hospital groups, I can put that data in three separate partitions on my phone. The corporate device management team can selectively wipe data if I leave one company. There’s a lot to be said about that level of flexibility,” said Holmes.

As a Cisco (News Alert) partner, Internetwork Engineering uses a combination of solutions to build an infrastructure internally that is protected from a standpoint of a traditional Wi-Fi or wired network for devices that plug in to those networks. Cisco takes a hybridized approach to security on mobile devices.

“You’ve got to look at it from the holistic view,” explained Holmes. “We’re always looking at where you’re connected, when you’re connected and what device you’re connected on. We can shun the traffic at different points based on what happens.”

The company also offers a security consulting practice. Companies can turn to Internetwork Engineering if they developed an app but would like another party to come in and beat it up to find any holes or portals the company may have missed.

In the McAfee (News Alert) report, the company makes its predictions for 2013, saying, “In 2013 we will see browsers expand on HTML5 features and improve HTML5 compatibility. HTML5-based applications and websites will continue to grow. We’re certain that attackers will turn their attention to finding holes in HTML5 security in 2013. The question is how quickly they’ll succeed.”

Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO Miami 2013, Jan 29- Feb. 1 in Miami, Florida.  Stay in touch with everything happening at ITEXPO (NewsAlert). Follow us on Twitter.

Edited by Allison Boccamazzo


HTML 5 Demos and Examples

HTML 5 experimentation and demos I've hacked together. Click on the browser support icon or the technology tag to filter the demos.... Learn More

HTML5 GAMES is the largest and most comprehensive directory of HTML5 games on the internet... Learn More

The HTML5 test

How well does your browser support HTML5?... Learn More

Working Draft (WHATWG)

This is the Editor’s Draft from WHATWG. You can use it online or print the available PDF version... Learn More

HTML5 Flip Book

Free jQuery and HTML5 flip book maker for PDF to online page turning book conversion... Learn More