Web 2.0 applications disrupt previous security measures
- By Wade-Hahn Chan
- Oct 12, 2007
As government agencies use more applications based on Web
services, new vulnerabilities in those programs threaten to circumvent traditional cybersecurity. Experts say
the safest way to ensure the integrity of such applications is to build security into them.
Tim Grance, manager of systems and network security at the
National Institute of Standards and Technology, said Web services-based applications can render traditional cybersecurity measures, such as firewalls, ineffective. Thats because the new applications transfer information from application to application through intermediary public Web sites rather than internally through an agencys secure server network.
That autonomy clashes with our traditional security models, Grance said. Perimeters arent quite what they were in the past.
NIST has published a 128-page Guide to Secure Web Services that alerts managers to issues they should be aware of when they develop applications. The recommendations for avoiding security breaches include replicating data at physically separate locations, logging all visitors to Web 2.0 sites and encrypting data transferred via Web services applications.
Perimeters arent quite what they were in the past. Tim Grance, National Institute of Standards
However, some experts are concerned that NISTs guide is too narrow in scope. Web 2.0 is much bigger than the areas NIST is addressing, said Bruce McConnell, president at consultant McConnell International.
Web services applications can create security pitfalls that experts might not fully understand, he added. For example, when coders develop programs called mashups, they integrate elements of other Web applications to create capabilities beyond those of the programs components. However, because mashups are not well-understood, they could carry new vulnerabilities, McConnell said.
One solution is to build in rather than deploy external measures later. Technology is starting to be developed with security built in not as an afterthought but this practice is not yet as widespread or as deep as it needs to be, he said.
Web 2.0 pioneer Google tackles security on a daily basis. It is embedded into the way the company does everything the way we share data, the way we develop code, said Rajen Sheth, lead project manager at Google Enterprise.
Furthermore, the companys developers design their applications knowing that they will fail at some point in their life cycles, Sheth said. Consequently, Google developers always look for the best ways to protect and recover data.
Sheth said it is important for developers to be familiar with various types of cybersecurity threats and attacks. Much of that knowledge can only come from experience, he said, adding that the challenge is passing that knowledge on to others.