RIA Security Smackdown

Notes from the OWASP Washington chapter meeting where we discussed:


 * Java Applet - very old technology, runs in sandbox
 * Flash 7 - old flash movie environment
 * JFX (Sun Java) - New scripting language compiles to bytecode, runs via Java Web Start
 * Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code
 * Google Gears - local storage component with JavaScript API (Same Origin all the way down)
 * AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV

Threat Agents to Consider

 * Threat from external attackers against your desktop application
 * Threat from an attacker against back end systems
 * Threat from malicious developers

Results
Key
 * (Y) - Allowed by RIA framework
 * (LF) - Limited by framework (a built in limitation or control)
 * (LSO) - Limited by same origin policy (special built in policy)
 * (LD) - Limited by developer (specified in a policy file like security.policy, jnlp, or crossdomain.xml)
 * (LU) - Limited by user (specified in a policy file)
 * (N) - Denied by RIA framework