Web 2.0 applications disrupt previous security measures

As government agencies use more applications based on Web
services, new vulnerabilities in those programs threaten to circumvent traditional cybersecurity. Experts say
the safest way to ensure the integrity of such applications is to build security into them.

Tim Grance, manager of systems and network security at the
National Institute of Standards and Technology, said Web services-based applications can render traditional cybersecurity measures, such as firewalls, ineffective. That’s because the new applications transfer information from application to application through intermediary public Web sites rather than internally through an agency’s secure server network.

“That autonomy clashes with our traditional security models,” Grance said. “Perimeters aren’t quite what they were” in the past.

NIST has published a 128-page “Guide to Secure Web Services” that alerts managers to issues they should be aware of when they develop applications. The recommendations for avoiding security breaches include replicating data at physically separate locations, logging all visitors to Web 2.0 sites and encrypting data transferred via Web services applications.

“Perimeters aren’t quite what they were” in the past. Tim Grance, National Institute of Standards
and Technology

However, some experts are concerned that NIST’s guide is too narrow in scope. “Web 2.0 is much bigger than the areas NIST is addressing,” said Bruce McConnell, president at consultant McConnell International.

Web services applications can create security pitfalls that experts might not fully understand, he added. For example, when coders develop programs called mashups, they integrate elements of other Web applications to create capabilities beyond those of the programs’ components. However, because mashups are not well-understood, they could carry new vulnerabilities, McConnell said.
One solution is to build in rather than deploy external measures later. “Technology is starting to be developed with security built in — not as an afterthought — but this practice is not yet as widespread or as deep as it needs to be,” he said.

Web 2.0 pioneer Google tackles security on a daily basis. It is “embedded into the way the company does everything — the way we share data, the way we develop code,” said Rajen Sheth, lead project manager at Google Enterprise.

Furthermore, the company’s developers design their applications knowing that they will fail at some point in their life cycles, Sheth said. Consequently, Google developers always look for the best ways to protect and recover data.

Sheth said it is important for developers to be familiar with various types of cybersecurity threats and attacks. Much of that knowledge can only come from experience, he said, adding that the challenge is passing that knowledge on to others.

Featured

  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.