Learn to Work Safely with Web 2.0

Developers want their Web sites, intranets and internal apps to get the Web 2.0 makeover. Yet snappy design often outpaces security. Here are tips for approaching Web 2.0 projects safely.

By Mathew Schwartz | December 2007

Up to your elbows in Rich Internet Application development code?

Many developers are turning to so-called Web 2.0, RIA, or Web Services design patterns – including XML, SOAP, Ruby on Rails, not to mention asynchronous JavaScript and XML (Ajax) – to design high performance, user-friendly applications, including content-sharing platforms, internal blogs, webmail and corporate social networking applications. According to one recent study, such technologies are already at work in 96 percent of organizations.

Yet this survey of 153 IT and security managers, by Forrester Research, also found that 90 percent of companies are concerned with how to protect this technology, and only 4 percent think they’ve gotten the security equation correct. As a result, some are pulling the plug on Web 2.0 development and external social site access altogether: The Web filtering software maker Barracuda Networks says 44 percent of its customers now block MySpace, and 26 percent block Facebook.

However, rather than simply outlawing Web 2.0 and social computing use, experts recommend a more balanced approach. “Don’t confuse the tools with the output currently generated on the Web using these tools,” says Forrester Analyst Rob Koplowitz. In other words, don’t equate CNN.com’s highlighting of the latest Lindsay Lohan liquor exploit with the fact Ajax is being used to produce the page. Rather, says Koplowitz, “take a hard look at how Web 2.0 tools are being used on the Internet, the value derived from those uses, and how the tools and social computing can be applied in a business context.”

And remember: Many employees will use free, third-party Web 2.0 tools despite their companies’ prohibitions. On the other hand, when these tools are built and maintained inside the corporate firewall, they can be highly secure.

To build secure Web 2.0 applications, experts recommend starting with these five steps:

1. Remember Web Application Security Lessons

According to research firm Gartner, 70 percent of all Web vulnerabilities can be traced to Web applications. While Web 2.0 applications may be fast, cheap and easy to build, many businesses forget that at heart, they’re still Web applications. As a result, “we’re starting to see vulnerabilities that were eliminated in classic Web applications – SQL injections, cross-site scripting, even cross-site injections, plus everything related to state management in transactions – coming back,” says Amichai Shulman, chief technology officer of data security vendor Imperva, based in Foster City, Calif.

2. Choose the Secure Option

Creating a secure Web 2.0 application requires making the right design decisions, says Ryan Berg, chief scientist at Ounce Labs in Waltham, Mass. “Many frameworks have ways where you can transport information (in a manner) that is more secure than another, so it’s up to the developer to understand the differences and weaknesses of doing things one way versus another.”

3. Validate User Input

As an example, Berg says choosing to validate user input is the single best technique for ensuring Web 2.0 security and avoiding common attacks such as SQL injections. “If I’m developing in Java, for example, and I’m binding query values to my SQL query, then that’s not vulnerable to SQL injection – it just isn’t. But there’s another way of making dynamic calls which is vulnerable.” Because frameworks allow for either option, businesses must specify application security in the design phase, and project managers must ensure developers create secure code.

4. Keep Security Logic on the Server

Web Services speed page-loading and functionality by allowing developers to move code from the server to the client. Just be careful what you relocate, says Shulman. “For example, many times access control is being migrated to client-side code, and of course an attacker can bypass the client-side code and interact directly with the server, which is now left vulnerable.”

5. Beware Shared Code

When developers want to solve a problem, they often search for free sample code to see if someone’s already found a solution. While this approach is easy, “unfortunately this sample code rarely (takes into account) any security considerations,” says Berg. As a result, “you have this pervasive copying of bad Web 2.0 design decisions.”

6.) Master Web 2.0 Security Skills

With all of this in mind, where can programmers go to further study top Web 2.0 security threats? Berg recommends starting with the SANS Institute’s Top 20 list of security vulnerabilities, most of which involve Web applications, and also visiting the Open Web Application Security Project, or OWASP , and the Department of Homeland Security’s Build Security In project.

For a list of top Web 2.0 development skills – learning to handle access controls, inputs, errors, exceptions, and more – see Essential Skills for Secure Programmers Using Java/JavaEE, written by security experts from such organizations as Boeing, Deloitte & Touche, Kaiser Permanente and Ounce Labs. It’s available here in draft (PDF), but expect a final version in early 2008.

Mathew Schwartz is a freelance business and technology journalist based in Pennsylvania.