Web 2.0 Security: Getting Collaborative Peace of Mind

Page 4 of 4



Web 2.0 Security Resources

There’s no reason to be unprepared to face the potential security risks caused by Web 2.0 technology. In addition to the wide variety of solutions offered by technology vendors today, there is an equally vast collection of books that offer insights into the ways to effectively, and securely, deploy Web 2.0 in the enterprise. "‘Security’ hinges upon the notion that users add risk and new technologies increase vulnerability. Where Web 2.0 puts a premium on open data and user participation, security seeks to create limits to both. This is a healthy tension," according to Joshua Ross, VP of O’Reilly InPractice, a division of O’Reilly Media. He points out that, "While security is a valid concern, it isn’t an excuse to ignore Web 2.0." As an indicator of the maturity of Web 2.0 applications, Safari Books—a leading technology publisher that practices what it preaches in its usage of web-based delivery—offers a plethora of titles related to the topic. Here are some titles you may want to check out, as well as some insights from the authors:

RailsSpace: Building a Social Networking Website with Ruby on Rails
By Michael Hartl and Aurelius Prochazka

"The rise of user-generated content has heightened the importance of treating all user-supplied information as potentially dangerous. For example, unless properly processed, even plain text can be a threat, through attacks such as SQL injections and cross-site scripting (XSS)," says Hartl, also founder of the Insoshi social networking platform.

Advanced Ajax: Architecture and Best Practices
By Shawn M. Lauriat

  • While HTTPS still has vulnerabilities of its own, as with any software, it has proven to be a great enhancement to security
    when compared to sending data in clear text.
  • If part of an application design calls for storing a password in clear text, or even a reversible string, then that aspect of the application needs rethinking, if not redesigning altogether. Additionally, any hashing done must use a salt. (A salt is an additional value passed to a hashing algorithm to alter the output in a consistent manner.) A salt must be used in order to prevent brute-force attacks on the hash value itself or to keep attackers from simply looking up the hash in a database of known values or rainbow table.
  • Along with escaping output, switching usage of innerHTML to direct DOM manipulation makes it more difficult for attackers to
    successfully pull off XSS. Using innerHTML does make it easy to insert data into an interface, but it effectively calls the markup equivalent of eval while doing so. Any markup, whether from your application or an attacker, will get interpreted as markup.
  • Especially in JavaScript-heavy Ajax web applications, developers have a tendency to treat JavaScript functionality that is not
     immediately exposed to the user as an impenetrable black box. This opens the application for attackers to directly manipulate the objects by using pre-written scripts; they can even open a JavaScript debugger and change values and calls mid-execution. It does not take much inspection of an object to realize what it uses as the primary key and what other keys may exist that the user shouldn’t have access to load, let alone change. Improper authorization checking may result in data getting hidden from the user’s view without checking on direct loading or altering of the data.
By Ramarao Kanneganti and Prasad Chodavarapu

"Most practitioners of IT pick up the basics of security on the job. Almost everyone who has worked for a few years in IT has an intuitive feel for username/password-based authentication. A decade of practice with HTTPS has made many in the IT community familiar with PKI as well. However, the security concepts required for SOA cannot be learned by osmosis. Not only are there new security concepts and technologies that need to be understood, some of the most popular security practices turn out to be counterproductive when used in SOA implementations."

Here are other Web 2.0 books you may want for your bookshelf:

  • Web 2.0: A Strategy Guide, Amy Shuen
  • Web 2.0: Principles and Best Practices, John Musser
  • Building a Web 2.0 Portal with ASP.NET 3.5, Omar Al Zabir
  • The New Language of Business: SOA & Web 2.0, Sandy Carter
  • RSS and Atom in Action: Web 2.0 Building Blocks, Dave Johnson
  • Ajax Security, Billy Hoffman and Bryan Sullivan
Source: Safari Books Online

Companies featured in this article:

The 451 Group    

Central Desktop, Inc.   


Gartner, Inc.    




Mi5, Inc.   

Q1 Labs, Inc.    

Traction Software, Inc.    

Page 4 of 4