It’s all good news about Web 2.0, right?
Yes, unless you happen to be responsible for securing
the Web 2.0 environment for your business or enterprise.
Then, you might just lament that we’ve taken the data-
rich server model of the 1970s and grafted it onto the
interface-rich client model of the 1980s and 1990s, giving
us more capabilities but also a more complex — and
vulnerable — computing environment.
We have to deal with the problems traditionally
encountered using interface-rich clients — viruses,
Trojans, man-in-the-middle attacks, eavesdropping, replay
attacks, rogue servers and others. These all apply to every
interface in a Web 2.0 mashup, which could have dozens
of clients in one application.
In addition, the user community has changed from being
simply indifferent to being willfully ignorant of the value
of information. Users willingly post the most revealing
details about their employers and their professional
lives (not to mention their personal lives) on MySpace,
Facebook, LinkedIn and Twitter — information that is
easily available to just about anyone.
The problem is painfully obvious for the security
professional: More complexity and openness creates
vulnerabilities and opportunities for attack and the release
of confidential information. All of this results in more
headaches for security professionals who must be vigilant
in order to keep their IT environments secure.
Web 2.0 has brought new life to the online world
Web 2.0 has made the Web a livelier and friendlier place, with social Web sites, wikis, blogs, mashups and interactive
services that are fun as well as useful. There are two Web 2.0 concepts that change the game for CISOs and that they
need to understand. The first is the introduction of rich client interfaces (AJAX, Adobe/Flex) while the other is a shift
to community-controlled content as opposed to publisher consumer model. Both have serious security issues.
We’ve taken the data-rich server model of the 1970s and
grafted it onto the interface-rich client