Thursday, December 22, 2011

New Security Concerns with HTML5 - Guest Security Expert

We are fortunate to have a guest mobility and security expert, Joe Bulman, share his HTML5 insights with us today in this article.  Thanks Joe!

A recent survey (State of BYODreported, “Enterprises are widely embracing Mobile Device programs, including the most highly regulated and security conscious industries.  Additionally, there is no doubt that the variety of mobile device selections have grown significantly. For these reasons, businesses must support a best-of-breed security device approach rather than predicting and attempting to police specific technologies. HTML5 relates to this growing trend of mobile devices within an organization through the provisioning of applications to these devices.

HTML5 is more than a web markup language, it is a suite of technologies that improves the usability of web applications. While HTML5 entails the usual updates to HTML such as tags, styles and field types, many additional features are incorporated like multi-threading, local databases and a brand-new protocol called WebSockets.

The reason for a new protocol is from the inadequacies of HTTP for building today’s web applications. HTTP is big and slow; too big when scaling infrastructure and too slow for pages with dynamic content. While many existing web apps work fine today, they are using third party technologies such as Adobe Flash to supplement HTTP. With online and mobility business models at risk, a kinder, gentler technology (read: non-proprietary) is required. That’s where HTML5 hits the mark. Steve Jobs stated, “The world is moving to HTML5.” Apple iOS, Google Android, RIM Playbook and Blackberry OS are all equipped with HTML5 support.

HTML5 on the device will power a range of online business applications including messaging, collaboration, intelligence, data and mobility. According to a CISCO study (Entering the Zetabyte Era, 2011-06-01), global business Internet traffic alone will grow by 19 percent from 2010 to 2015; however, mobile business traffic will increase by 79 percent compounded.  The “connected device” is quickly becoming the platform of choice, delivering applications rich with HTML5 content. Unfortunately, this content explosion will come with security consequences. How do you protect a myriad of devices using a plethora of content over a range of protocols?

Traditionally, locks are placed on the doors to our businesses. That was once sufficient for keeping most bad guys out. With the arrival of the Internet came a new type of ubiquitous intruder known as the hacker. Firewalls, Intrusion Detection/Prevent and Web gateways arrived to the organization’s defense. These solutions provided adequate protection for the limited content flowing through the networks. With today’s richer HTML5 content, new protocols such as WebSocket and disparate devices, businesses must do more to protect themselves. So where do devices, content and protocols meet? At the network!

A winning, yet-secure mobile and HTML5 strategy must center on the secure delivery of ‘clean’ content flowing in and out of the organization at its most accessible spot, the network. Fortunately, a new breed of security technology has arrived to tackle such content, Deep Content Inspection (DCI). Applying DCI at the network layer works much the same as anti-malware works on the desktop. Content is scanned thoroughly for malware, viruses, spam and data leakages – and if deemed clean, it can continue on to or from the device. If it is not clean, the content will be prevented from proliferating. Not all DCI implementations are equal as full visibility of all content is a requirement. Organizations will need to choose a DCI vendor who fully supports HTML5, including its powerful, yet stealthy WebSocket protocol.

You may contact the author with any questions.  His contact details follow:

Joe Bulman
Senior Systems Architect, Wedge Networks
For more information on HTML5 protection, visit


Kevin Benedict, Independent Mobile Industry Analyst, Consultant and SAP Mentor Volunteer
Follow me on Twitter @krbenedict
Full Disclosure: I am an independent mobility analyst, consultant and blogger. I work with and have worked with many of the companies mentioned in my articles.