Web 2.0 applications disrupt previous security measures

As government agencies use more applications based on Web
services, new vulnerabilities in those programs threaten to circumvent traditional cybersecurity. Experts say
the safest way to ensure the integrity of such applications is to build security into them.

Tim Grance, manager of systems and network security at the
National Institute of Standards and Technology, said Web services-based applications can render traditional cybersecurity measures, such as firewalls, ineffective. That’s because the new applications transfer information from application to application through intermediary public Web sites rather than internally through an agency’s secure server network.

“That autonomy clashes with our traditional security models,” Grance said. “Perimeters aren’t quite what they were” in the past.

NIST has published a 128-page “Guide to Secure Web Services” that alerts managers to issues they should be aware of when they develop applications. The recommendations for avoiding security breaches include replicating data at physically separate locations, logging all visitors to Web 2.0 sites and encrypting data transferred via Web services applications.

“Perimeters aren’t quite what they were” in the past. Tim Grance, National Institute of Standards
and Technology

However, some experts are concerned that NIST’s guide is too narrow in scope. “Web 2.0 is much bigger than the areas NIST is addressing,” said Bruce McConnell, president at consultant McConnell International.

Web services applications can create security pitfalls that experts might not fully understand, he added. For example, when coders develop programs called mashups, they integrate elements of other Web applications to create capabilities beyond those of the programs’ components. However, because mashups are not well-understood, they could carry new vulnerabilities, McConnell said.
One solution is to build in rather than deploy external measures later. “Technology is starting to be developed with security built in — not as an afterthought — but this practice is not yet as widespread or as deep as it needs to be,” he said.

Web 2.0 pioneer Google tackles security on a daily basis. It is “embedded into the way the company does everything — the way we share data, the way we develop code,” said Rajen Sheth, lead project manager at Google Enterprise.

Furthermore, the company’s developers design their applications knowing that they will fail at some point in their life cycles, Sheth said. Consequently, Google developers always look for the best ways to protect and recover data.

Sheth said it is important for developers to be familiar with various types of cybersecurity threats and attacks. Much of that knowledge can only come from experience, he said, adding that the challenge is passing that knowledge on to others.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • FCW @ 30 GPS

    FCW @ 30

    Since 1996, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

  • Shutterstock image.

    Merged IT modernization bill punts on funding

    A House panel approved a new IT modernization bill that appears poised to pass, but key funding questions are left for appropriators.

  • General Frost

    Army wants cyber capability everywhere

    The Army's cyber director said cyber, electronic warfare and information operations must be integrated into warfighters' doctrine and training.

  • Rising Star 2013

    Meet the 2016 Rising Stars

    FCW honors 30 early-career leaders in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group