While AJAX (Asynchronous JavaScript and XML) may have issues with security and performance, Zimbra still sees AJAX as the best way to deliver experiences on the Web and has based its open source Web 2.0 platform on 200,000 lines of JavaScript, a company executive said Monday.

At the Web Builder 2.0 conference in Las Vegas, Zimbra president and CTO Scott Dietzen, former CTO of BEA Systems, emphasized a variety of AJAX and Web 2.0 technologies for developers and users, including the extension of AJAX to offline usage.

Despite its problems, Dietzen said he favors AJAX over other technologies such as Flash when it comes to the Web.

"There's no other way to deliver a richly interactive experience on the Web," he said. "If you want the Web look and feel and the ability to mash up all sorts of other Web technologies, I think AJAX is the best fit."

Zimbra, which was acquired by Yahoo earlier this year for $350 million, offers collaboration and messaging software.

Dietzen did cite AJAX security issues such as cross-site scripting attacks, in which user data can get interpreted in the browser, creating a breach. Also noted as a security concern was use of source code in the browser.

"The goal for rich Internet applications at least ought to be to deliver the same level of security that we've delivered for Web applications because to deliver less undermines user confidence in various ways," he said. This is a goal that is close to being achieved, Dietzen said.

Blocking execution of user JavaScript inside of the application is important to combat server-side scripting attacks, according to Dietzen. Obfuscation and minimization technologies to remove white space can be used as security measures, he said. On the positive side, there is no caching of user data on the desktop with AJAX. Dietzen also advised that sensitive code not be put in the browser.

Browsers, meanwhile, also present challenges. They render the same HTML differently and were not designed for the load presented by AJAX; browsers have memory leaks and performance gaps, Dietzen said. But browsers are getting better, Dietzen said.

"Safari 3 is dramatically better," he said. Internet Explorer 7 offers a two to four times improvement in JavaScript execution for Zimbra over Internet Explorer 6, Dietzen said.

Toolkits also have been a problem but that, too, has been getting better. Toolkits now are available from organizations such as Eclipse, Adobe, and Microsoft. "I'm happy to say no more Zimbra developers are using text editors or vi to craft their JavaScript," said Dietzen.

Offline AJAX usage is a "hot topic," Dietzen said. Zimbra now can be used offline, he said.

"The answer for occasionally connected apps is to provide a cache on the client side that allows the application to interact locally with a data set, and synchronize over the network when the network is available," said Dietzen.

Offline AJAX systems can be developed by using a set of caching APIs in JavaScript that enable this. These are accessible via offerings such as Google Gears and Dojo offline toolkit.

Also, developers can program the client in something other than JavaScript, using technologies such Adobe AIR (Adobe Integrated Runtime). Developers build full programs on the client integrated with the browser, like what Microsoft is doing with its Silverlight platform.

But Zimbra used another approach. "What we did at Zimba is we actually took Zimbra server code, which was written in Java, and we created a microserver that runs on my local client," said Dietzen.

Dietzen mentioned the AJAX technique of AJAX Linking and Embedding (ALE), in which one document can be embedded inside another. This expands content-sharing.

Also cited was a technique called "lazy loading," which cuts down loading time for Web pages. With lazy loading, the page loads but other parts of the application, such as calendaring, are loaded only as needed.

Dietzen noted Zimbra's platform enables use of mashups; these feature quickly assembled task-based applications deriving data from other, larger systems. Mashups get Dietzen's vote as the killer app for Web 2.0.