Sunday, February 3, 2008

Web 2.0; a Pandora's box of new security issues

The use of Web 2.0 technologies opens up a whole new range of security issues. Our focus on the intranet offers some consolation, but the issues are still there. The use of Ajax -which is central to most web 2.0 solutions - does not only offer the average user new possibilities, but also provides hackers with new, enhanced options!

I came across a recent book on the subject; "Ajax Security" by Hoffman and Sullivan (2007, Addison Wesley, 470p) that seems to offer one of the best overviews of the issues. While going into some detail about threats and remedies, it also offers non-technical readers like myself a good overviews of issues and remedies.
If you're intereted in the issue, take a look at this review (courtesy of Pathfinder; Agile Ajax)that also gives a useful summary of many of the issues that are further covered in the book:

"[The book] demonstrates not only new security threats that are unique to Ajax, but established threats that have gained new traction in the Web 2.0 era. It then details both the specific technical solutions and - more importantly - the mindset that are necessary to combat such threats.
Because so many developers have historically overlooked the importance of security, the authors approach their topic for what it is: a remedial subject. They take pains to explain the basic mechanisms by which hackers have exploited insecure web applications over the last decade: cross-site request forgeries, denial of service attacks, cross-site scripting and SQL injection. Then they explain how those mechanisms have changed thanks to the rise of xmlHttpRequest, public APIs, mash-ups and aggregators. If you've ever read a Douglas Crockford rant about the "brokenness" of the web security model and wondered why the guy was such an alarmist, Hoffman and Sullivan are only too happy to provide you with a much-needed wake-up call."

Agile Ajax also has an interesting follow-up detailing some of the most shocking finds based on the book.

No comments: