A Security Experts Guide to Web 2.0 Security

by Roger Thornton Fortify Software CTO and Jennifer Bayuk, formerly CISO of Bear Stearns

Web 2.0 has brought new life to the online world

Web 2.0 has made the Web a livelier and friendlier place, with social Web sites, wikis, blogs, mashups and interactive services that are fun as well as useful. There are two Web 2.0 concepts that change the game for CISOs, and that they need to understand. The first is the introduction of rich client interfaces (AJAX, Adobe/Flex) while the other is a shift to community controlled content as opposed to publisher consumer model. Both have serious security issues.

It’s all good news about Web 2.0, right?

Yes, unless you happen to be responsible for securing the Web 2.0 environment for your business or enterprise. Then, you might just lament that we’ve taken the data-rich server model of the 1970’s and grafted it onto the interface-rich client model of the 1980’s and 90’s, giving us more capabilities but also a more complex—and vulnerable—computing environment.
We have to deal with the problems traditionally encountered using interface-rich clients—viruses, Trojans, man in the middle attacks, eavesdropping, replay attacks, rogue servers and others. And all of these apply to every interface in a Web 2.0 mashup, which could have dozens of clients in one application.

In addition, the user community has changed from being simply indifferent to being willfully ignorant of the value of information. Users willingly post the most revealing details about their employers and their professional lives (not to mention their personal lives) on MySpace, Facebook, LinkedIn and Twitter—information that is easily available to just about anyone.
The problem is painfully obvious for the security professional: More complexity and openness creates vulnerabilities and opportunities for attack and the release of confidential information. This all results in more headaches for security professionals who have to be vigilant in order to keep their IT environments secure.

What’s a CISO to do?

Although some companies have tried all options, you can’t easily write your own browser, isolate your users from the Web, or control everything that happens on their PC desktop. However, there are steps you can take that can seriously improve your odds of winning the battle over Web 2.0 vulnerabilities.

For community controlled content:

1.Educate yourself and your company, developers, vendors and end users about Web 2.0 vulnerabilities. Institute a clearing process for the use and inventory of new Web 2.0 components before they are incorporated into your business environment.
2.Segregate users’ network access for those who need and those who don’t need access to social networking sites.
3.Establish a policy identifying inappropriate professional topics for public discussion on the Web or through online social services.
4.Create desktop policies and filters that block, as much as possible, interactions with unknown and untested software.

When deploying rich client interfaces:

5.Assign a cross-functional team to work with software development and application owners to educate themselves on the risks of incorporating Web 2.0 components into applications. Have your own developers recognize and control the use of potentially vulnerable tools such as ActiveX and JavaScript.
6.Require your vendors to meet secure coding standards.
7.Vigorously stay on top of vulnerabilities and exploits. Use your Web 2.0 inventory to establish a quick response plan to mitigate software as issues arise.

Fortify is taking the lead in educating Web 2.0 developers about the security vulnerabilities of their sites and services. Fortify’s Resource Center helps educate Web 2.0 developers about the security vulnerabilities of their sites and services by publishing the latest research in software risk mitigation, application vulnerability detection, and best practices in secure software development. Check it out to ensure you stay up-to-date on the latest security vulnerabilities and defenses against them.

For further information visit http://www.fortify.com/cisoguides/

Fortify is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

Infosecurity PR