Web 2.0 Security Hangover

The Web 2.0 party was a great time, but security pros and analysts are waking up to new problems.

Web 2.0 applications have certainly made the user experience more interactive, but organizations need to be mindful of their impact on Web site security.

Certainly, there are a number of reasons Web sites become an attractive target for hackers; sometimes sites are built prior to an attack being known about, or the developers were in a hurry. Still, some researchers say the Web 2.0 rush has had an impact on security as well, opening up new possibilities for attackers.

"The Web used to be a very static delivery method," said Mary Landesman, senior security researcher at ScanSafe. "All we could do is go to a site and read it. We couldn't interact with it."

But in today's dynamic Web 2.0 environment, there is a lot of give-and-take of information, from visitors leaving comments to third-party advertising being pushed in by affiliate ad programs, Landesman said.

"There's a lot of Web applications that are now involved," she said. "It just opens the door for exploits, either within the Web application, or through social engineering or by a hostile person inserting themselves at some point in this chain of affiliate relationships."

Waking up to the Web 2.0 hangover

In ScanSafe's Annual Global Threat report released March 31, researchers said there were numerous instances of malware hidden in banner ads in 2007, including a Trojan-laced banner ad displayed on high-profile Web 2.0 sites such as MySpace and Photobucket.

Still, all the attacks that plagued Web 1.0 are still around today, said Jeremiah Grossman, chief technology officer at WhiteHat Security.

"While Web 2.0 technologies have added some new attack techniques, they really aren't the issues we need to be most concerned about when comparing to the existing issues," Grossman said. "The issues we need to tackle have been firmly rooted into the system since the Web began ... What Web 2.0 has done is added additional complexity to the attack surface, which has proved difficult for everyone to fully understand."

Click here for eWEEK's Security Dictionary.

A lineup of common Web site vulnerabilities will certainly feature some familiar faces; for example, a recent report by WhiteHat Security listed cross-site scripting vulnerabilities as the most commonly found. Officials at the company, which provides Web site security services, urge enterprises to prioritize all their Web sites by their importance to the business and to note the party responsible for their security. The company also recommends that businesses take a defense-in-depth approach to Web site security that includes everything from vulnerability assessment to Web application firewalls.

"When we consider the risks [of Web 2.0], clearly the underlying Web applications themselves have the same inherent vulnerabilities that Web 1.0 applications had," said Oliver Friedrichs, director of emerging technologies for Symantec Security Response. "The risks themselves are very, very similar to what we've seen in the past, it's just a different set of protocols and client-side functions that are being used."

Paul Roberts, an analyst with The 451 Group, commented, "I think what you're seeing really is kind of the hangover that is coming after the exuberance, the party that was Web 2.0. People have developed a lot of code using some of the new tools that are available, using some of the new development techniques, and there is more interest in the capabilities of those ... than there has been [in] the security of the code."