Welcome!

Java IoT Authors: Zakia Bouachraoui, Liz McMillan, Elizabeth White, Pat Romanski, Yeshim Deniz

Related Topics: SYS-CON MEDIA

SYS-CON MEDIA: Article

Visual WebGui 'Empty Client' Security Concept

.

Introduction

The following document is a Visual WebGui security concept summary. Exploring the Visual WebGui unique pipeline protocol will shade light on the reasons why Visual WebGui is secured by design.

Abstract


Visual WebGui is a server based architecture executing the application business logics on the server and projecting the UI to the client (as describes in figure 1 below). Utilizing IIS and ASP.NET session, a metadata of the relevant UI objects tree is kept on the server.

Figure 1

 

A highly optimized protocol by Visual WebGui is responsible to send events to the server and instructions to the client.


Empty Client: the client is using a small, plain and static JavaScript kernel to communicate with the server and render the UI.
Security concept highlight: Visual WebGui client script cannot control the server behavior by definition!


Architecture

Client/Server state balance protocol scenario (as further described in figure 2):

Flow Step 1: The first time the client approaches the server it downloads a small amount of kernel code which is constructed of:


a.    JavaScript- responsible for the client behaviors and communication with the server.
b.    XSLT - responsible for the UI layout including the HTML rendering of the entire set of controls.
c.    CSS  - responsible for UI styling


The kernel is sent in a compressed mode and weights about 200kb. Furthermore, it is cached on the client and on the server statically and will never change from this point on.


Security aspects:
no code generation at runtime, the kernel is well known and static.


Flow Step 2: The client renders the basic HTML to the screen and from that point on it acts like a smart AJAX client which consumes a UI service from the server only.
Security aspects: only UI essential data is sent to the client, no applicative or sensitive data.


Flow Step 3:
Highly optimized events are sent tothe server whenever a client performs a set of action that should result in executing server code. Events metadata are constructed of UI object Id and the action performed.


Security aspects: events are reflecting UI behavior and never applicative logic which is
uniquely handled by the server.


Flow Step 4: The server executes the event handler and sends back highly optimized UI instructions to the client. The instructions are reflecting the deltas of changes between the last balanced state and the new state.


Security aspects: server instructions are reflecting UI changes and presented data changes, however, will never contain hidden applicative logic or data which is uniquely kept and handled by the server.


Flow Step 5: The client accepts the UI changes instructions and re-renders the parts which have changed according to the last server execution of logics.
Security aspects: the client is responsible to render UI and that is the only aspect which is affected by application logics.

Figure 2


Process conclusions:


1.    Client security-holes which are created by either applicative or sensitive data which is kept on the client or even simply sent to the client are impossible by design (as described in figures 3 and 4).

Standard web applications:

Figure 3


With Visual WebGui:

Figure 4

 

2.    Client scripting cannot control the server behavior as by design, simply because the responsibilities of the client are limited to:

  1. Render client UI.
  2. Send client events to the server (yet the server has the freedom to decide which are valid events and parameters according to the current user's  credentials)
  3. Accept server instructions and re-render UI parts


3.    Visual WebGui does not imply to present an ultimate solution for all the security issues of the world, however, through the Visual WebGui communication protocol it will be impossible to hack a web application. This means that assuming https and/or any other incredible secured communication solutions (i.e. WCF) are used to secure the HTTP communication and that the OS and DB are safe on the server side, Visual WebGui application is thoroughly safe.

 

 

More Stories By Marissa Levy

Marissa is a technology writer based in Jerusalem, Israel covering the local software, wireless, and start-up markets. Prior to her coverage of Israeli hi-tech, Marissa worked as a reporter in several English language news outlets. Her writing has been featured in prominent publications such as USA TODAY, FOXNews.com, and the Jerusalem Post. She holds degrees in Journalism and Political Science from The George Washington University in Washington, DC. She can be reached at [email protected]

IoT & Smart Cities Stories
DXWorldEXPO LLC announced today that Telecom Reseller has been named "Media Sponsor" of CloudEXPO | DXWorldEXPO 2018 New York, which will take place on November 11-13, 2018 in New York City, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker c...
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in ...
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organizers to pass great deals to great conferences, helping you discover new conferences and increase your return on investment.
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
SYS-CON Events announced today that Silicon India has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Published in Silicon Valley, Silicon India magazine is the premiere platform for CIOs to discuss their innovative enterprise solutions and allows IT vendors to learn about new solutions that can help grow their business.
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use of real time applications accelerate, legacy networks are no longer able to architecturally support cloud adoption and deliver the performance and security required by highly distributed enterprises. These outdated solutions have become more costly and complicated to implement, install, manage, and maintain.SD-WAN offers unlimited capabilities for accessing the benefits of the cloud and Internet. ...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT staff augmentation services for software technology providers. By providing clients with unparalleled niche technology expertise and industry experience, Chetu has become the premiere long-term, back-end software development partner for start-ups, SMBs, and Fortune 500 companies. Chetu is headquartered in Plantation, Florida, with thirteen offices throughout the U.S. and abroad.