Newsletters Welcome, Guest Log In | Register
Blogs:

Carl Weinschenk

Data and Telecom

Companies’ communications strategies must be agile in a rapidly evolving market

About this Blogger RSS

< Previous | Next >

Subscribe

Sign up now and get the best business technology insights direct to your inbox.

  • Daily Edge
  • CTO Edge Update
  • Business Tools & Templates
  • Aligning IT & Business Goals
  • Maximizing IT Investments

0

Negative Numbers for Web 2.0 Security

Posted by Carl Weinschenk Mar 27, 2008 2:03:51 PM

The news from WhiteHat Security is in -- and it isn't very good.

 

The firm released a study this week that says nine out of 10 websites have at least one vulnerability, and the average site has seven. The insurance industry is the most threatened, with 84 percent of sites suffering urgent, critical or high severity vulnerabilities. The top two problems, according to this report on the findings in Dark Reading, are cross-site scripting and cross-site request forgery (XSS and CSRF).

 

XSS and CSRF are most associated with Web 2.0 interactivity and collaboration. For hackers and crackers, this is just what the doctor ordered. Vulnerabilities will become greater as this advanced version of the Web increasingly is used by businesses.

 

Put simply, as complex multimedia and interactivity grow, the portions of sites that are ripe for mischief -- "attack surfaces," in security parlance -- grow more numerous. The continuing battle to keep the Internet safe led WhiteHat to institute a formal educational program. In my interview earlier this month, Bill Pennington, WhiteHat's vice president of services, said sites made in a more innocent day are being careless with Web 2.0:

What you see people do is that they bolt on Web 2.0. They take Web 1.0, 1.5 and bolt new functionality to make it pretty. That opens it to a whole can of worms.

Another problem, Pennington says, is that developers can be a bit naïve:

A lot of times, when we speak to developers, security people hear comments that would blow our mind, such as, "Why would anyone want to get information out of my database?" Well, they want to do that. We cover why as well as how. A lot of developers don't understand the threat landscape of the Internet. They say, "My site does not have a lot of important data. Why would they want to hack it?" There are any number of reasons. A lot of them have to do with propagating malware across the Internet.

Clearly, the struggle to protect Web sites is reaching a new level. An executive from Xythos Software offers some general advice on securing Web 2.0 and related applications. Among the ideas is creating a universe of secure Web applications available through a portal that would eliminate the need for employees to use more risky consumer tools. That, of course, is an answer only for deep-pocketed companies. More practical approaches include experimenting within departments or in specific projects to see what works and having a well understood usage policy. These steps will at least cut down on some of the most obvious mistakes.

Related Content

Add a comment Leave a comment on this blog post.

There are no comments on this post

Related Content

Browse

Topic: Vulnerabilities and Patches

Weaknesses require a fix. Don't leave your system open to attack.

Blog: Staying Safe on Cyber Monday

Article: The Tricky World of Disseminating Vulnerabilities

News: Microsoft Helps Discover Flaw in Google Plug-In for IE

Related Topics

Network Security, Usage Management and Monitoring, User Policies

Featured White Papers

Browse

Software Forum: Information On Demand Virtual Experience

This interactive virtual forum presents leading IT experts providing the insights you need to turn your information into a strategic driver for innovation, business optimization and competitive differentiation.

Performance Under Pressure: The State of Enterprise Web Application Quality and Availability

This research study finds that Web application issues are an all-too-common problem and examines these Web-based enterprise application issues from two perspectives: that of an online customer and that of a site manager.

Resource Centers

Browse

Mobile Computing Optimization

Mobile computing solutions, tips, and expert commentary that increases the usability and bottom-line benefits of your mobile computing assets.

Featured Whitepapers

It Pays to Understand the Total Cost of Ownership (TCO) for Mobile Computers

Network Optimization

Network management tools and tips to increase network speed and efficiency, regardless of office location.

Featured Whitepapers

Extreme Savings: Cutting Costs with WAN Optimization

Virtualization & Business Continuity

Virtualization solutions, management tips and industry insights to promote and insure the lifespan of your business.

Featured Whitepapers

Rethinking Business Continuance — Driving Data Availability Up and Costs Down

Business Intelligence

Best-practice tools, strategies and technologies for determining and managing the data you need to make better business decisions.

Featured Whitepapers

Seeing the Big Picture: A Corporate Guide to Better Decisions Through IT

Premium Tools

Browse

Budget & Finance Toolkit for IT - 2010 Edition

What kind of year are you planning in 2010?  Growth or continued "survival mode"?  Download a comprehensive collection of templates, forms, instruction and advice that will help you to plan and submit your 2010 IT Budget.

Learn more >

The IT Service Catalog Management Toolkit

Bridge the it-business gap once and for all! A well documented IT services catalog is the conduit for IT services to the rest of the company.

Learn more >