Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Achieving Web 2.0 security

InfoSecurity Europe : 13 February, 2009  (Special Report)
Roger Thornton of Fortify and Jennifer Bayuk provide insight into operating a Web 2.0 environment securely
See our events guide listing for more details

Web 2.0 has made the Web a livelier and friendlier place, with social Web sites, wikis, blogs, mashups and interactive services that are fun as well as useful. There are two Web 2.0 concepts that change the game for CISOs, and that they need to understand. The first is the introduction of rich client interfaces (AJAX, Adobe/Flex) while the other is a shift to community controlled content as opposed to publisher consumer model. Both have serious security issues.

It's all good news about Web 2.0, right? Yes, unless you happen to be responsible for securing the Web 2.0 environment for your business or enterprise. Then, you might just lament that we've taken the data-rich server model of the 1970's and grafted it onto the interface-rich client model of the 1980's and 90's, giving us more capabilities but also a more complex—and vulnerable—computing environment.

We have to deal with the problems traditionally encountered using interface-rich clients—viruses, Trojans, man in the middle attacks, eavesdropping, replay attacks, rogue servers and others. And all of these apply to every interface in a Web 2.0 mashup, which could have dozens of clients in one application

In addition, the user community has changed from being simply indifferent to being willfully ignorant of the value of information. Users willingly post the most revealing details about their employers and their professional lives (not to mention their personal lives) on MySpace, Facebook, LinkedIn and Twitter—information that is easily available to just about anyone.
The problem is painfully obvious for the security professional: More complexity and openness creates vulnerabilities and opportunities for attack and the release of confidential information. This all results in more headaches for security professionals who have to be vigilant in order to keep their IT environments secure.

Although some companies have tried all options, you can't easily write your own browser, isolate your users from the Web, or control everything that happens on their PC desktop. However, there are steps you can take that can seriously improve your odds of winning the battle over Web 2.0 vulnerabilities.

For community controlled content:

1. Educate yourself and your company, developers, vendors and end users about Web 2.0 vulnerabilities. Institute a clearing process for the use and inventory of new Web 2.0 components before they are incorporated into your business environment.
2. Segregate users' network access for those who need and those who don't need access to social networking sites.
3. Establish a policy identifying inappropriate professional topics for public discussion on the Web or through online social services.
4. Create desktop policies and filters that block, as much as possible, interactions with unknown and untested software.

When deploying rich client interfaces:

5. Assign a cross-functional team to work with software development and application owners to educate themselves on the risks of incorporating Web 2.0 components into applications. Have your own developers recognize and control the use of potentially vulnerable tools such as ActiveX and JavaScript.
6. Require your vendors to meet secure coding standards.
7. Vigorously stay on top of vulnerabilities and exploits. Use your Web 2.0 inventory to establish a quick response plan to mitigate software as issues arise.

Fortify is taking the lead in educating Web 2.0 developers about the security vulnerabilities of their sites and services. Fortify's Resource Center helps educate Web 2.0 developers about the security vulnerabilities of their sites and services by publishing the latest research in software risk mitigation, application vulnerability detection, and best practices in secure software development. Check it out to ensure you stay up-to-date on the latest security vulnerabilities and defenses against them.

Fortify is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th - 30th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo