Get Smashed, Not Mashed

I hate to be the teetotaler at the mashup party, but someone has to take a sober look at the security implications of this emerging approach to business intelligence.

Mashups let you take data from an outside source and combine it with your own data to yield new information or insight.

Think about that for a minute. Data from somewhere else running on your network? Even if the person who initiates the mashup believes the data comes from a trusted source, do you know if the originating systems meet your security standards? Are those systems at current patch levels? If your business works in a regulated environment, will such a mashup put you out of compliance?

Do you have people on staff who are up to date on mashup security issues? Here's one to consider: For mashups to work, you have to suspend the security feature in browsers called same-origin policy. Same-origin was designed to stop one Web site from dropping malicious code onto another.

Oh, and then there's JavaScript. Does the mashup your company is creating include JavaScript from outside your company?

Think about that one. Your data. Someone else's script processing it. Is it proprietary data of special value to your enterprise? Do you know exactly what the script does with your data?

You should also ask yourself whether you would treat the data in a traditional BI app as cavalierly as some people use data in a mashup. As Chris Rafter, vice president of consulting services at Logicalis Inc., a technology services company with a BI practice, explained to me, "Mashups violate some of the unwritten rules of business intelligence."

For example, he says, BI apps are generally built around a data warehouse, which is highly secured and certainly unreachable by outsiders. He also notes that good governance for BI precludes generating reports laden with unaudited external data.

This isn't to say you shouldn't explore mashup technology behind your firewall and with your own data sources, or with data from established and vetted partners whose scripts you have scrutinized and tested. Mashups can be a quick way for business analysts to get insight from the knowledge locked in different silos inside your organization, where most of the illuminating information about and for your business resides.

But be wary of business units that want to contrast internal data with outsiders -- say, a boutique market research house that can stream information to your network. The data may be golden, but it could turn into fool's gold if that firm's data-streaming application doesn't conform to WS-Security standards and its program gets compromised.

The bald fact is that mashups open another door for malware.

Earlier this year, IBM contributed code called Smash (a play on the term "secure mashups") to the OpenAjax Alliance, an open-source consortium that promotes IT's use of AJAX, the technical foundation of mashups. Smash permits two sources to supply content for a mashup but keeps the source material separate, opening a secure communications channel between the sources so the mashup can occur. If you're not using Smash or tools like it to secure your mashups, you're taking a gamble with your company's reputation and its information.

But, hey, don't let me spoil the party.

Mark Hall is a former Computerworld editor at large. Contact him at

This version of the story originally appeared in Computerworld's print edition.

Got something to add? Let us know in the article comments.

Next: Can Web 2.0 Save BI? A broader class of business users are now tapping into Web-based BI capabilities

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon