Web 2.0 Security and the Uncertainty Principle

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

It's almost possible to feel sorry for security professionals. They've spent years putting systems in place to protect businesses. They've hardened the perimeter and made sure data was centralized and safe at the core of the network. They've begged people to be careful with their mobile devices.


Now, with mobility and Web 2.0, all that has been turned on its head. These new approaches are by nature highly insecure. Just as quantum mechanics is based on the idea that it is impossible to know both where something is and the speed at which it is moving, it is impossible to simultaneously make a piece of data more secure and more available.


Of course, security staffs must do just that, uncertainty principle founder Werner Heisenberg be damned. The struggles faced by businesses are outlined at Dark Reading, which reports on an Interop session featuring representatives from U.S. Bank and the University of Notre Dame.


The story portrays the bank as having a flexible strategy, with a focus on end points. The company locks down USB ports, outlaws iPods, scans for sensitive data such as credit card numbers, finds and deletes dangerous ULRs, and carefully tracks the flow of data in the organization. The piece discusses the special problems faced by The Norte Dame and other academic institutes, but doesn't describe what measures The Fighting Irish have been put in place.


One of the key Web 2.0 trouble spots is JavaScript. As this CNET piece points out, this scripting language has a long track record on the Internet. However, its use as an integral part of AJAX, a family of Web development tools used to build interactive Web 2.0 sites, is exposing previous unknown weaknesses. One such danger -- described by the manager of security research at Fortify at a Web 2.0 Expo session -- is JavaScript hijacking. In this exploit, malicious JavaScript code is used to send a user's personal information to the attacker. The complexity of AJAX's use of JavaScript also makes it more difficult to test, the story says. This post at WebHelperMagazine touches on JavaScript's Web 2.0 problems and links to 22 sites or stories that deal with the issue.


This ITtoolbox posting discusses Web 2.0 security problems that were found and remedied during April. Neither of the problems -- at Twitter and Tumblr -- sounds like it was particularly difficult to fix. In the bigger picture, however, the troubling conclusion is that quality control and security may not be the top item in the agenda of Web 2.0 companies as they rushy to roll out services.


The ground-up nature of the Internet means that security follows a similar path: New platforms are introduced, grow in popularity and are exposed as insecure. The industry then scrambles as best it can to plug the holes. Wireless -- which went through several security protocols on the fly -- is the best example of this chronically inefficient approach which, at the end of the day, is inevitable in highly competitive industries in which tools are used the second they come off the R&D assembly line.


Web 2.0 may turn out to be the true poster child of the bolt-on approach to security, since the very idea of the platform is to make information more readily available.