| FREE NEWSLETTERS |  |
IT DIRECTORY | |
NEWS ALERTS | |
RSS | |
NEWS TIP-OFFS | |
ADD TO FAVOURITES | |
| VIRTUAL PRESS OFFICESTM |  |
(011) 807 3294 |  |
itnews@itweb.co.za | sales@itweb.co.za | Wed, 7 May 2008 |
Web 2.0 opens security holes
Although Web 2.0 has allowed for a new way of thinking about using the Web, there are many negative security implications.
Speaking at ITWeb Security Summit 2008, in Midrand yesterday, Charl van der Walt, founding member of Sensepost, explained Web 2.0 created a technical evolution.
“Technologies such as XML and CSS, JSON/AJAX and WSDL and Web services and XMLHTTPRequest Object, RSS and Atom and mash-ups are all Web 2.0 enablers. But these do nothing to increase security. In fact, they only obfuscate potential flaws,” he explained.
According to Ian de Villiers, senior developer from Sensepost, Web 2.0 has shifted focus from commercially-driven content to user-driven content.
“The user is now where the value lies (content), which makes them an attractive target,” he said. “And information is the new currency.”
David Maman, senior technologist at Fortinet, said: “Today, everyone is a content and service provider. Everyone can be heard and everyone is sharing information. Web 2.0 has really changed the way we are forced to look at security.
“Furthermore, the nature of mobile technologies is that your identity can travel with you. You are always available. But what about roaming security solutions?” he warned.
Enjoyed this story? Subscribe to ITWeb's
Security Week newsletter
POST YOUR COMMENT
Comments (5)
Craig Tobias
said:
Changing Security Threat
|
I think you have to put this in context, the threat is simply changing. For example if one deploys a wiki system that has a database on the backend. There is now little incentive to go through the trouble of breaking into the database when you can simply hit the edit button. The idea behind peer review is that you will know about content issues faster and in many cases your user base will clean these issues for you. Now I’m not saying there aren’t security concerns, I’m simply saying we now need to take a different look at what we are trying to protect. Craig Tobias Cisco Systems |
|
jdoe
said:
I fail to see any point in this article
|
I fail to see any actual point in this article, other than it being some kind of press release for the ITWeb Security Summit. What exactly are the ’negative security implications’ and what does user provided content have to do with this? It looks to me like a series of pointless generalisations and several meaningless questions. "Web 2.0" hasn’t fundamentally changed the way we think about using the web. So far "Web 2.0" has added a few interesting user interface widgets and a couple of interesting possiblities with regard to web services. All the technologies mentioned aren’t ’e;nablers’, they are the very core technologies in what is commonly referred to as ’Web 2.0’. There is no discernable focus shift from commercially driven content to user-driven content. Its just that tons of "user-driven" content has become available in the last few years. You can count on one hand the number of innovative new ’Web 2.0’ user-driven content providers and you don’t even need a whole hand to count the number of technologies needed to do this. "Information is the new currency" - what does this mean? That we can now buy and sell stuff using e-mails? This is just a catch-phrase. There is no ’new’ transaction involving information. The sentence makes you think for a moment (if you’re thinking at all) and then quickly dissolves into "Everything is a currency" and then quickly becomes meaningless. Not everyone is a content or service provider. Not everyone can be heard and not everyone is sharing information. Unless you’re a respected information technology visionary with a an actual point, statements like these are really just feel-good arm-waving. The fact is that without extensive work and often complex and somewhat unethical machinations, no viral ad campaign or self-released album is ever going to get even a first glance. A whole industry (SEO) has built itself up around this amazingly egalitarian system which for a fee will by hook or by crook, try to hoist your content onto the first Google results page, if you’re lucky. So how has this forced us to change the way we look at security. I would posit that any really revolutionary technological advancement on the web would hit us so fast and hard that the gentlemen mentioned in the article wouldn’t have the time to be forced to do anything, let alone ’c;hange the way we look at security’. What does it mean, "your identity can travel with you". It already does, in the form of my ID book and my driver’s license. "You are always available" - thats not really that profound, given that we’ve had cell phones for a number of years now and pagers before that... "but what about roaming security solutions" - what indeed, about roaming security solutions? Why not first give us some of the questions, before you sell me a solution? In short, complexity in software by its very nature will result in complexity in the security built into or surrounding it. This is not new. This is not revolutionary. This is just common sense. |
|
rafiq
said:
Misleading headline
|
Did he provide any solutions to the problems or examples of securitiy problems? |
|
Uberkraaker
said:
JDOOES
| So why didn`t you do a presentation if you are so knowledgeable on the subject? I`m guessing you weren`t even there to hear the presentation in it`s entirety otherwise you would have commented then. It seems quite apparent have have either a personal issue or argument relating directly to the speaker or the company he represents. That or you`re a coward, because I`m sure you would have understood if you attended. | |
JDOE
said:
No Problem
|
I don`t know these guys and I especially don`t know the context in which these things were said... because the article seems to be grabbing random sound bites not really explaining anything. If thats okay with you then maybe press releases are your thing. I would love to see a bit more depth to what is written here. Quoting a couple of random company execs does not make for an enlightening article, particularly when what is quoted is as meaningless as this. I would have loved to see the presentations, but these things aren`t always geographically possible. I have nothing personal against any of them or their companies. I have a lot against what they said. If you are using the fact that I attacked what they said as an indication, then I could suggest that you have something against me personally, which I doubt, because I have no idea who you are. I doubt you can measure my bravery or level of cowardice by reading a post. I think for that we would need pistols at dawn. I am absolutely sure that I would have understood if I had attended, and I`m sure that had they said anything else worth reporting on, I would have read it here, unless we can both blame the reporter for not writing about the real insights that these people have. Incidentally, I notice you don`t really argue anything I say, you have chosen to just call me names and get personal. Well, okay, I guess if thats what floats your boat. And lastly, I would not have a problem giving a presentation. I don`t think I have a big enough company or have golfed with the right people for anyone to listen to me, but I`m willing to give it a try. I think I have enough knowledge to have an opinion. |
|
Best read
MOST COMMENTED
Industry news
Publications
|
 |
|
|
|
|
|
 |
COMMENT ON THIS |
|
 |
SEND TO A FRIEND |
 |
 |
QUICK |
 |
 |
PERSONAL ARCHIVE |
 |
 |
FOLLOW US ON TWITTER |
|
MORE FROM ITWeb
Top news
Click here for more information.
Magix empowers clients to fight against fraud with continuous, non-invasive auditing and monitoring solutions designed to take the hard work out of risk management. Visit our website to see the various solutions we specialise in.
Sponsored links
|
Copyright (c) 1996 - 2009 ITWeb Limited. All rights reserved.
Would you like to see your news here? Contact us for more details at itnews@itweb.co.za
|
