Applications mashing together Web and voice features are all the rage, but enterprises and service providers have security concerns about opening up APIs that your average Web developer can probably afford to ignore.

IBM this week released technology called SMash (for secure Mashup) that aims to improve the security of such so-called mashups. It works by adding an authentication mechanism by which each contributing Web service can be verified and shown to be trusted. Only then does the application allow API access and permit the script to be executed.

“Security concerns can't be a complete inhibitor or clients lose out on the immense benefit mashups bring,” said Rod Smith, IBM Fellow & Vice President, in a statement.

Mashups work by pulling together Web services from all over the Internet strung together using open, published programming interfaces. While initially a Web phenomenon, a variety of players – from VoIP providers and vendors to mainstream service providers – are opening up APIs to network functionality so voice features can be added to the mashup mix.

Carriers in particular are concerned about exposing core network functionality without a way to ensure that malicious code would not take down or degrade service to all its customers across a shared network. While it’s unlikely a bit of Javascript would take down the public network, for many service providers the risks do raise a red flag.

IBM’s solution is written in Javascript so works primarily with AJAX-based mashups, which are built using Javascript. The underlying authentication protocols are left open, and could including Kerberos or Public Key Encryption (PKI) certificates.

IBM is contributing SMash to the OpenAjax Alliance, which it founded. It will be included as part of the upcoming OpenAjax Hub 1.1 standard, slated for release in June.

Another industry effort, OpenSAM (for Open Simple Application Mashups), is setting best practices for mashup creation, including addressing security concerns. Meanwhile, Dataportability.org also addresses mashups as part of its charter, but focuses mainly on data sharing issues.

For SMash to take off, large Web API vendors such as Google, Amazon and Yahoo will need to support the approach and settle on common protocols. The same will need to happen on the communications side for voice features to be part of the secure mashup equation.

IBM plans to include SMash technology in some of its WebSphere application server products as well as its business-focused mashup maker, Lotus Mashups, slated to be available this summer.

IBM will formally debut SMash in a paper presented at the International World Wide Web Conference, in Bejing, China, in April 2008. IBM Research has made initial details available in a technical whitepaper.
-30-