How do you solve a problem like Web 2.0?

The new Web means new security threats – and new ways of dealing with them.

“Web 2.0 breaks what we know about traditional Web security,” said David Meizlik, product marketing manager for security solutions with Websense Inc. The company is pitching a new Web gateway appliance, the Websense V10000, aimed specifically at Web 2.0 security threats. The V10000 will ship later this month.

Ninety of the Top 100 sites on the Web contain user-generated content, Meizlik said. “That content is constantly changing,” he said, so traditional approaches to Web security aren’t adequate. Reputation-based services will examine the URL; others will white-list a site based on a scan that’s several hours old.

“You need an engine that can inspect that content in real time,” Meizlik said. “You’re talking about being inline with the content.”

In the case of mash-ups, some content on the page might be a security threat or simply inappropriate, while the rest of the page is not. Meizlik said the V10000 can block content elements individually, still allowing access to the page.

“It really opens up the Web in terms of where users can go and what content they can access,” he said.

David Senf, director of Canadian security and infrastructure software research for IDC Canada Ltd., said there’s not just more people creating malware, there’s a bigger “attack surface” for them to compromise.

“Attackers love more features because there’s more to exploit,” Senf said. As data travel among mashed up applications, it can be compromised at many points, and there isn’t an identity scheme that helps users determine a level of trust among sites, Senf said.

READ MORE: Websense offers to take fear out of Facebook, Web 2.0

And, he said, “There’s more social engineering going on than ever before.” He gives the example of layering one Flash application over another; on the surface, it’s a game where you have to click on a particular object, but doing so downloads spyware or a keystroke logger from the other application.

In a February report, Secure Enterprise 2.0 Forum identified specific Web 2.0 security vulnerabilities, including:

* Cross-site scripting, in which malicious content is sent to a system, then displayed to other users. Social networking sites are particularly vulnerable.

* Cross-site request forgery, which generates requests to other sites for which the user is authorized while he or she is browsing the page.

* Phishing through fraudulent widgets that redirect to a malicious Web site.

* Leakage of sensitive information through social networking sites that may seem trivial in isolation, but combined with other small data items can be unacceptable.

* Injection flaws; XML, XPath, JavaScript and JSON are all vulnerable.

The report cites a McKinsey & Co. survey that found 87 per cent of companies plan to use Web 2.0 technologies to reach customers; at the same time, 78 per cent are concerned about unsanctioned, employee-driven use of Web 2.0 tools.

“Business data and customer information can be proteced if IT departments recognize (the) associated risks and prepare accordingly,” wrote Ofer Sheza, author of the report.

Meizlik said the security appliance takes the analytics of Websense’s ThreatSeeker technology and embeds it in the device. It works hand-in-hand with the company’s cloud-based security technology.

“It doesn’t just rely on on-premise technology,” he said.

The appliance is also built to host other Websense security technologies, for example data loss prevention, Meizlik said.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Dave Webb
Dave Webb
Dave Webb is a freelance editor and writer. A veteran journalist of more than 20 years' experience (15 of them in technology), he has held senior editorial positions with a number of technology publications. He was honoured with an Andersen Consulting Award for Excellence in Business Journalism in 2000, and several Canadian Online Publishing Awards as part of the ComputerWorld Canada team.

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Featured Reads