|
Recent
Articles |
Diary of a Tired CTO
I did the following things this month. Met fourteen different IT vendors who gave an impressive high impact presentation on how their products and services...
Value Chains, Networks, And Shops
Finally, I have in hand a paper with some theoretical clarity regarding value chains, networks, and shops. That paper is Stabell & Fjeldstad, "Configuring Value for Competitive Advantage: On Chains, Shops...
How Process Change Will Save Huge Dough7
Lets assume we are Joe IT guy in the ABC company - an upper middle market company with a few thousand employees, a dozen sites, and all the problems folks...
Bandwidth Needs Rise As DDoS Attacks Grow In...
Distributed Denial of Service (DDoS) attacks are an increasing concern of online organizations. In a DDoS attack, compromised PCs controlled by remote attackers, or botnets, inundate a network with the intent to crash...
Network Device Monitoring In Essentials 2007
The whole point of System Center Essentails 2007 (aka SCE) is delivery of the base elements of operations and systems management in a single console. It is...
|
|
|
07.31.07
Looking At The State Of Web 2.0 Security
 By
Dan Morrill
Some of the commentary back on this blog is that the state of Web 2.0 security is in relatively poor shape, and as we have gone through a lot of the code available from larger companies, everyone approaching web 2.0 seems to have shoved security out the door while they concentrate on making product.
Not just linked in, as we wrote about yesterday here, but many of the snippets, widgets, API's, templates, and other things that someone can add to their web site needs to have some solid security reviews against it, and how those bits of code can be misused.
While limiting the number of calls back to the backend infrastructure is one way to keep systems from being abused, the tighter integration between the browser, the desktop, and people's web sites, code based errors and omissions can come from anywhere in the stack. The interdependencies of the whole system require that companies take a holistic approach to the products that they deliver.
The products they make might be very secure, but the module call in IE or Firefox might be an issue, or cross site scripting because someone has the ability to misuse your site to accomplish their ends, to their gain, and your site is the one that will be blamed.
The commonality of the mistakes, and the inattention to writing good secure code throughout the food chain heterodynes into web 2.0 because of the complexity of the systems, the "errors can be anywhere" process, and the interdependencies of the modules in the code.
The other problem is that there is really no low cost, or affordable cost way for startups to actually afford to do this kind of testing. While we are working in the market, the realities of startup funding is that they have no money, but they are the ones who need the support the most. Angel funded companies make a better target, as well as VC level funded companies because they can start paying attention to security, if they have someone who is aware and willing to take that work on board.
Information security is in some ways all over web 2.0 with great freeware and costware tools, but the focus on product, the lack of process or procedure when developing product, means that in the drive for the product, many things go by the wayside. Good coding practices, security testing, quality assurance testing, usability testing and a host of other testing schemes are not done, or if they are done are only based on functionality or usability. Makes sense, they are pushing a product out the door.
Early adopters are going to be the most vulnerable to the standards and practices that startup code presents. One good security hack and the whole startup is put at risk, or even failure because they compromised the clients that they are trying to get. Startups, angel and VC funded companies should be getting their code security checked along with QA, to do any less is putting their customers and company at risk.
Comments
About the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
