IT-Analysis has a very good overview of Web 2.0 security. While there is nothing completely new in the piece, it is an excellent synthesis of why this expansive redefinition of the Web is rife with danger. Like a good roller coaster or haunted house, Web 2.0 does a good job of mixing chills with fun.
The threats, the writer points out, are both technical and social. On the technical side, the heavy use of AJAX and the move of much processing from servers to client devices heightens risks. Enterprising hackers can far more easily attack Web 2.0 sites with exploits such as cross site scripting (XSS) simply because there are more opportunities -- "attack surfaces," in techie parlance -- than in traditional scenarios.
The other side is social. The essence of Web 2.0 is increased interactivity. The more folks participate, the more likely it is that they will divulge proprietary information about themselves or their employers.
It's a growing concern. Much of the current Web 2.0 activities are on social networks such as MySpace and Facebook. Though these are identified with teenagers, they must be taken seriously because they are used in the workplace. Moreover, Web 2.0 increasingly is being tapped by businesses.
Ziff-Davis' Innovations raises yellow flags about the security aspects of social networks. It reports, for instance, that experts say Google's OpenSocial initiative could be "a huge new vulnerability." One passage raises red flags. It says companies may "consider accelerating their campaigns to shut down" employee access to social networks, and adds that the U.S. Department of Defense has prohibited use of MySpace, YouTube and other sites.
It's logical to try to reduce their use -- in addition to security issues, employees on MySpace are not working. The danger is that employers will think that simply putting such sites off limits is enough and fail to proactively secure their networks. It's been proven again and again, however, that employees will find ways to use the services they want. They will get to MySpace or Facebook, just as they used Wi-Fi despite company prohibitions. Companies must prepare, regardless of what policies they adopt.
In another post sounding the Web 2.0 alarms, a blogger at Real IT with Enterprise 2.0 says that despite the fact that we are in an era in which applications are moving to the Web, many companies essentially are clueless about how to protect themselves. The blogger mentioned a company that runs 200 Web servers but relies solely on Secure Socket Layer (SSL) for protection. The good news, according to the writer, is that lots of products are available that will help secure systems in the Web 2.0 age.
The threats are very real. Just this week, according to The Register, Fortinet warned of a social networking attack targeting Facebook users. The exploit -- called "Secret Crush" -- dupes users into inviting friends to join them in downloading the "crush calculator," which is hosted at Zango's site. Instead of revealing who wants a date with the user, the widget downloads adware. The DSW Connection starts off with interesting numbers from Nemertes Research: 18 percent of companies surveyed use blogs, 32 percent use wikis and 23 percent use really simple syndication (RSS). The heart of the piece is a discussion of Web security gateways. The story discusses various ways of keeping sites secure. URL filtering, the writer says, is a good way of establishing and enforcing policies. Content filtering, as the name implies, scrutinizes the traffic coming into or leaving a network. Finally, the story describes reputation filtering. The best way to use this tool, which assesses whether malware is being distributed by a Web site, is to create blacklists of sites to be avoided.
The Web always has been a dangerous place. The emergence of Web 2.0, which relies on malleability, participation and interactivity, makes things even riskier. Organizations -- even those that aren't using Web 2.0 themselves -- need to take steps to secure both users and their internal systems.