Does AngularJS Meet Enterprise Security Needs?Posted by Itay Herskovits on Jan 20, 2015
A significant portion of the AngularJS development community is focused on so-called “greenfield” development – new apps built against an essentially empty database or a new concept. While this is a common way to implement a new Angular app, it ignores a lot of the benefits that existing applications can reap from transitioning to an Angular-focused development environment. Below we’ll look at some of the concerns faced by enterprise customers converting to Angular, and how they can be mitigated.
The first concern of any major organization performing a transition of an existing product is security. One of the major concerns with new technologies is that they might introduce security holes into an organization’s IT infrastructure. Luckily this concern isn’t very severe in an Angular environment. The focus of Angular is on data presentation exclusively – an Angular application typically communicates with a server via a HTTPS interface, be that a RESTful API or a simple web service, and then presents the data obtained to the screen. From this perspective, securing an AngularJS application is as simple as enforcing the good security practices your organization is already following – maintain secure sessions on the server, guard against injection attacks, and simply provide guards against abnormal calling patterns.
For those organizations looking at exposing their Angular front-end to a larger population, there are also several mechanisms already in place to prevent various types of cross-site scripting attacks. Angular’s $http module, for example, provides an out-of-the-box method for CSRF protection (though some server work is needed to support the functionality. Additionally, Angular supports both strict expression evaluation (via CSP) and offers the ability to implement strict contextual escaping, which should mitigate most of the client-side security concerns. If all else fails, AngularJS is also very flexible when it comes to integrating with more tried-and-tested third-party security libraries, such as OAuth.
Leveraging Existing Data
One of the biggest benefits of AngularJS is that it doesn’t impose any restrictions on the underlying data management system. The most popular method of implementing an AngularJS application is using RESTful APIs which provide all access to the underlying database. By making use of internal APIs that may already exist, you can simply replace your existing frontend code with an Angular equivalent. This also allows you to re-use any existing server-side security with minimal effort. Furthermore, if the application being replaced was already built using a web application framework like Django or Rails, the switch is as simple as a front-end swap, allowing you to quickly enhance your website’s performance by taking advantage of Angular’s directive-based implementation style.
A significant concern when augmenting an existing application to use AngularJS is whether or not it can use existing security policies to maintain level-of-access restrictions according to departmental guidelines. With Angular’s flexibility, there are a number of options available for integrating existing domain systems – such as ActiveRecord/LDAP – into the application’s login and security flow. With AngularJS being a client-side inclusion exclusively, this type of functionality isn’t included natively. However, there are numerous supplemental libraries – such as ldapjs – which allow for implementation of single sign-on through the interaction between AngularJS and the associated libraries. Making use of these external libraries is as simple as including the code and performing a quick security review to ensure that no additional vulnerabilities are introduced.
With most of the blog articles and newsgroup discussions on AngularJS focusing on new development – be that a new web face for a new application, or fresh development within an existing software organization – it is easy to lose track of the utility of AngularJS in the enterprise space. Many of the concerns that come into play with enterprise-level development are already addressed by either AngularJS or associated libraries. By using the above information as a base, your organization should easily be able to apply AngularJS to any existing projects in your organization that match the web development paradigm.
Build your Angular app and connect it to any database with Backand today. – Get started now.