Web 2.0 brings new security challenges
As companies rush to embrace the interactive and rich applications of Web 2.0, many of them are neglecting security. Here's how to make sure you're protected.
In summary:
| • | Ensure that your developers are paying attention to both general Web security and Web 2.0 security. |
| • | Educate employees about the vulnerabilities of Web 2.0, including some of the new tactics attackers use. |
| • | Create and enforce policies regarding use of external Web 2.0 sites as well as internal Web sites. |
In late 2005, a virus called Samy rifled through the online social networking site MySpace, infecting more than one million users in just 20 hours. The infection was able to spread so fast because it took advantage of one of the premiere features of networking sites—the profile page. Whenever one person viewed another's profile, he picked up the virus, which was then spread to others who viewed his profile.
Back then, most of those affected by Samy were consumers. But a significant and growing number of companies are adopting the technologies of Web 2.0, which include blogs, real simple syndication (RSS), podcasts, mashups, social networking, wikis, widgets, and even virtual worlds.
In a recent survey of 250 companies in the U.S., U.K., and Germany, conducted by the consulting firm Quocirca Ltd., 58 percent reported using at least some Web 2.0 technologies. But many companies aren't taking steps to protect themselves from some of the new security dangers presented by Web 2.0. Experts recommend, for example, that corporations block or limit the use of Web 2.0 in order to minimize some of the security dangers. In the Quocirca survey, however, 55 percent had no such policies, according to Fran Howarth, principal analyst at the consultancy, which is based in Windsor, U.K.
In the first generation of the Web, the site owner generated and controlled the content. But in the world of Web 2.0, interactive and multimedia applications are embedded in the site, and the content for those applications comes from other sources. "It's a cacophony of user-supplied data," says Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, a Web application security provider in Santa Clara, California. "With 2.0, there's a many-to-many relationship, so there are all sorts of security considerations."
Grossman's company provides a service that tests hundreds of the largest and most popular Web sites for application vulnerabilities, and its findings are alarming: Almost nine out of 10 Web sites it tested in the past two years had at least one urgent vulnerability.
What seems to be behind many of the security holes is Ajax, a prevalent Web programming technique that uses JavaScript and XML. Essentially, Ajax embeds code into standard HTML Web pages. "While this allows Web sites to appear more dynamic and interactive, it also means that more of the business logic, such as access control and session management logic, is exposed," says Howarth. Attackers can gain access to and change that code, enabling them to do all sorts of nefarious things.
Web 2.0 security risks
There are several important security aspects to consider when developing or using Web 2.0 tools and sites. First, Web 2.0 applications that you develop for your own Web site, as well as applications from third parties, may contain vulnerabilities that expose visitors to attacks. Second, employees who access external Web 2.0 applications, such as social networking sites, from their work PCs can expose your corporate network to attack. And third, the creative and information-sharing culture encouraged by Web 2.0 can lead to leaks of confidential business information.
Web applications in general are notoriously vulnerable. Many companies that develop their own applications don't build in security, and applications supplied by third parties aren't necessarily any safer, says Grossman.
Building safer Web sites and applications
| • | If you develop your own applications, consider security early in the process. |
| • | Educate your developers about known vulnerabilities in Web applications in general and in Web 2.0 specifically. |
| • | Incorporate testing for vulnerabilities at several stages of the development process. There are third-party tools available for this. |
| • | With third-party vendors, investigate whether and how the developer ensures security, and include specific security requirements into the contract. |
| • | In addition to testing the application before putting it on your Web site, make sure you retest your site periodically. |
Your company may be at significant risk when employees visit Web 2.0 sites. Simply by visiting a social networking site, an employee's PC can become infected with malware, says Charlie Miller, principal analyst of software security at the consulting firm Independent Security Evaluators. In fact, Miller and a colleague recently discovered a way to exploit a vulnerability in a popular multimedia application that would allow a hacker to take over a user's PC. That's why it's so important to make sure you're up to date on the latest patches for all of your Web software. It's also a good idea to upgrade to the latest version of your browser. Windows Internet Explorer 8.0, for example, includes improved security and support for Ajax programming.
Educate, train, and monitor users
Perhaps most important, Howarth advises, is to educate employees about Web 2.0 security risks and to create policies to protect them and your business. Such policies will depend on your own company's determination of the level of risk versus the benefits of Web 2.0. Some companies, for example, may forbid employees from accessing any Web 2.0 site, although that may be unrealistic. More practical are policies that dictate what employees can share about their company when engaging in online personal networking and other interactive activities on the Web, such as hosting a blog.
"Perhaps you can specify which employees may visit or contribute to what type of sites, such as who in the company may contribute to a corporate blog," notes Howarth. But at a minimum, employees need to understand how information shared on these sites can be used to attack them and/or the company.
Indeed, just as companies had to train employees to resist clicking on attachments in phishing e-mails, they now must train them on safe practices in the world of Web 2.0.
 | Tam Harbert is a Washington, D.C.–based journalist specializing in technology, business, and public policy. Her work has appeared in Computerworld, CIO Decisions, and Network World. |
