Web 2.0 security goes beyond the content that users find on the web and share with others within their network. It also involves preventing data leakage; that is, ensuring that that content doesn’t find its way out, notes William "Sandy" Bird, CTO for Q1 Labs. The main vulnerabilities can be found directly in the collaboration applications such as wikis and blogs, in syndication (from RSS feeds and mashups), as well as Rich Interface Applications (RIA) and AJAX-enabled websites. Web 2.0 applications are vulnerable to a variety of threats, from cookie tampering to cross-site scripting (XSS) attacks.
Oftentimes, when such attacks occur, the user is unaware that his computer—and important data—has been compromised. It’s a different world from years ago when viruses would wreak immediate (and very obvious) havoc on computer users. The threat may be imperceptible, and potentially even more dangerous.
The potential for security breaches caused by Web 2.0 technology is not likely to go away on its own. As more and more individuals use these applications (especially in the workplace), the risk of suffering from security breaches will likely increase considerably. In fact, companies are facing security issues on both the client side and the server side, says Danny Allan, director of security research for IBM Rational. Both can have devastating effects on companies, their employees, and their customers when the data created and stored in these Web 2.0 environments is compromised.
"Web 1.0 was a static page. With Web 2.0, you’ve got more client-side processes, like AJAX and widgets. Technically, there’s more going on," says Doug Camplejohn, CEO and founder of Mi5 Networks, which focuses on the client side of the security issue.
Don’t Drop Your Guard
This collaborative environment seems to be one in which users have let their guards down. "People don’t read licensing agreements, they’ll add a widget or they’ll click on a link," adds Camplejohn, noting that the "bad guys" have gotten better at making harmful applications look legitimate. What has also changed, notes Camplejohn, is that when a virus and spam infected a system, their effects were noticed immediately. "The new threats are silent," says Camplejohn. "They sneak in under the radar."
Mi5 Networks provides companies with Webgate appliances that help prevent vulnerabilities from occurring as well as helping to clean up any problems that do occur. The Webgate solutions don’t require any installation and immediately monitor and block vulnerabilities. "Companies use us for two reasons: to see what employees are doing and what they are not doing; and to see what applications are okay and not okay," explains Camplejohn.
Imperva stresses the importance of having security measures in place on the server side when explaining its security solutions to customers. "What we talk to customers about is the need to apply security on the server side because that’s where you have control," says Mark Kraynak, Imperva’s director of strategic marketing. Still, with this approach, the goal is to prevent future problems. "We can show how the applications are working and we use the model to prevent attacks," explains Kraynak. Imperva’s SecureSphere monitors the activity in its customers’ applications and databases to prevent vulnerabilities. By using dynamic profiling, Imperva creates profiles of applications and databases, so changes and possible malicious activity can be more easily noticed.
Experts agree that such a proactive approach is the best approach, and one of the most popular solutions seems to be the technology that enables its clients to closely monitor its Web 2.0 systems and send alerts when a security breach is detected.
It’s also helpful for companies to identify exactly who caused a security breach, and Q1 Labs’ flagship product offers clients that visibility. QRadar enables its clients to uncover the source of a security problem and protect themselves against any security threats before they cause problems. "It’s providing visibility to the incident as a whole," says Bird.
Most often, violators don’t have malicious intentions, notes Camplejohn. However, safeguards still need to be in place to prevent users from accessing harmful websites and applications. Mi5 Networks has technologies that will block users from visiting a webpage that is identified as a risk. They receive a message that informs them that the particular page violates company policy. "We can also block a portion of a page and still deliver the good content," adds Camplejohn.
Pescatore notes that many organizations seek solutions that have security features already built in. He points to IBM and HP, which both purchased companies last year that offer security tools. IBM acquired Watchfire and HP bought SPI Dynamics. (Allan actually joined Watchfire in 2000 and transitioned to IBM with the acquisition).
Within a few months, IBM released IBM Rational AppScan, which is a complete suite of automated web application security tools that scan and test web applications for security vulnerabilities. It also offers recommendations for how to fix problems that are identified, which helps organizations close the loop on their security issues.