Are Web 2.0 Technologies Worth the Risk?


Web 2.0 technologies, with their ability to let users create communities, work collaboratively and interact in various online settings, are powerful tools. Some businesses can't get enough of them for interaction with consumers, networking, marketing, training and project management.

Unfortunately, in the rush to create these powerful tools, security was an afterthought. Some of the more notable Web 2.0 attacks were the Twitter Trojan, the Facebook worm, the Samy worm and Spaceflash attacks on MySpace in which cross-site scripting was used to change user's profiles. The German version of Wikipedia was used to spread links to malicious sites, and one of the most popular blog platforms, Blogger.com, was used to set up blogs that injected malicious links in valid blogs in the form of comments. Right now, as you're reading this, the koobface worm is wreaking havoc on Facebook users and their contacts.

What should really concern CISOs are the programming techniques that give these sites their interactive capabilities. Currently, most developers use Ajax (Asynchronous JavaScript and XML) as their development platform. Ajax itself does not create the vulnerabilities, but it does create a larger attack surface that can be exploited. According to Shreeraj Shah, founder of Net Square, Ajax, RIA and Web services are the top three vectors that are promising to affect Web 2.0 technologies. Of course, if Web 2.0 developers prioritize using secure coding practices that include extra testing that focuses on known vulerabilities of the technology, so much the better for the end product.

The fact is that users like the interactive capabilities of social networking sites like Twitter, Facebook and LinkedIn, and they will continue to use these sites regardless of security concerns. Security professionals play an important role by educating users on potential risks of Web 2.0 tools and how to avoid them. They can also decrease the chances of their organization having a problem by developing security policies for the Web 2.0 world. These policies should include:

  • Implementation of data protection controls.
  • Implementation of an acceptable use policy to limit who can use them.
  • Blocking unacceptable sites.
  • Monitoring content.
  • Reviewing potential vulnerabilities on a weekly basis.
  • Using a firewall between the Web 2.0 tool and the rest of the network (if hosted in-house).
  • Conducting regular penetration tests to check for vulnerabilities.