News

Security 101 for Web 2.0

• By Shawna McAlearney
• July 17, 2006

As the threat landscape continues to shift toward financially motivated attacks directed at applications at large enterprises, building security into apps has never been more important. One of the criticisms of AJAX, used to increase and speed site interactivity, is that it could also be used to amplify attacks against outward facing Web apps—particularly against providers of Software-as-a-Service.

“Poor application development and a lack of integrating security best practices and tools into the SDLC [software development lifecycle] is one of the biggest security issues for Web 2.0,” says Gartner security analyst Amrit Williams. “Hackers are going after the application layer and businesses are externalizing more internally developed or outsourced applications.”

He notes that it’s important to use WS-Security mechanisms to incorporate authentication, authorization and encryption into Web services transactions and limit the attack surface of Web services by limiting administrative access.

“Web services provide a complex and distributed environment that is, in many cases, externalized outside of the network perimeter—this is coupled with rapid development that often doesn't follow secure development best practices,” says Williams.

However, Williams recommends several steps enterprises can take to reduce the risks of Web services deployment:

• Develop secure code and integrate security into the entire lifecycle;
• Implement XML schemas and WSDL;
• Harden and secure back-end databases;
• Monitor and audit log data from Web services;
• Define and implement security log output standards to assist security and operations with auditing and monitoring of Web service transactions;
• Scan the code for security vulnerabilities and exposures with automated testing tools;
• Segregate development and production environments; and
• Use standards, such as SAML and WS-Security, which are most likely to become ubiquitous.

“If you want the most versatile security mechanism right now, use a Web services security firewall or proxy,” adds Williams. “A ‘dev time’ vulnerability testing tool is also a good idea for custom development projects.”