A recently documented major vulnerability in Web 2.0 and Ajax-based software highlights the need for security to be built into applications at the start of development.
Early this month, Fortify Software, a provider of technology for identifying, managing and mediating software security vulnerabilities, announced that it had documented a major vulnerability in Web 2.0 frameworks and Ajax-based software.
From a security perspective, Gartner said, Web 2.0 is reminiscent of Web 1.0.
According to Gartner, enterprises rushed to market--and constantly updated--new Web applications based on these new technologies, often bypassing established processes for ensuring application quality and security. Fundamental tenets of application security were ignored or overlooked in the rush to apply these new technologies, leading to years of Web defacements, mass worm attacks, cross-site scripting, phishing and identity theft.
Gartner noted that it "believes that these mistakes are unnecessary, and that enterprises can achieve a balance between achieving the business advantages promised by Web 2.0 and maintaining security".
The report added that "security tools and processes can be extended to build security into Web 2.0--to prevent attacks leading to damaging compromises of customer and other business data--without impacting the usability or time to market of those applications".
One security expert warned that the recent Fortify report is a distraction from the real issue.
Paul Ducklin, head of technology at Sophos Asia-Pacific, noted that the report "has become such a talking point that we risk losing sight of the clear and present danger posed right now on the Web, [which is] in the form of real--and unfortunately quite effective--attacks by determined cybercriminals".
He said in an e-mail interview with ZDNet Asia: "A cynic might say that Web 2.0 is nothing new, and would be correct, since the common technologies behind it have existed for some time."
Ducklin also noted that the issue is not just "how secure Web 2.0 applications are", but "how attractive browsers and Web sites are as a money-making target for cybercriminals".
Sang Shin, a Java technology architect at Sun Microsystems, noted that security risk increases in Web 2.0 applications, since there are more participants in a collaborative computing environment.
He added: "What this means is that Web 2.0 applications need to do more vigorous input data validation. And this input validation has to be done not only for data coming from end-users but also for data from partners."
Shin said more organizations are considering security issues as architectural and functional design concerns, instead of treating them as after-thought issues. "I believe the Web 2.0 environment in general accelerates this trend because there are more participants in the form of end users and partners, thus increasing the security risks," he said.