Will There Be A Pause in the Web 2.0 Party?
Web 2.0 security vulnerabilities are well known and it's almost as well known that these aren't really new - the difference with Web 1.0 is more of quantity than quality. Web 2.0 tools and techniques let us build apps faster, introduce more features, and tie into more backend applications. All good things, but sometimes too much of a good thing leads to what eWeek is calling the Web 2.0 Security Hangover.
Ajax is the perpetual favorite whipping boy when it comes to Web app security. It lets us introduce cross site scripting, SQL injection, client side injection, XMLHttpRequest and other attacks faster than previously possible. Paul Robers, of the 451 Group told eWeek:
"I think what you're seeing really is kind of the hangover that is coming after the exuberance, the party that was Web 2.0. People have developed a lot of code using some of the new tools that are available, using some of the new development techniques, and there is more interest in the capabilities of those ... than there has been [in] the security of the code."
The solution is not ditching Web 2.0 techniques but making it as easy to prevent and test for these vulnerabilities as it is to introduce them. There are commercial as well as open source vulnerability scanning (check out OWASP Interceptor Project or Insecure WebApp). We can also use Ajax frameworks like IceFaces, which provides interface components designed to reduce the risks associated with common vulnerabilities. There is a whitepaper on the project site that describes how the framework improves Ajax security.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
