Web 2.0 and Security

For the past few months, I’ve been thinking that security is going to be of paramount importance to web 2.0. The style of programming for web 2.0, the desire to always push the limit of Javascript and to find new and innovative ways to speed up the client/server communication, are bound to result in numerous security flaws. It doesn’t help that a number of web 2.0 hackers continue to bemoan the “limitations” of browsers, like same-origin policies.

CNET has a reasonably accurate taste of what’s coming. Indeed, web 2.0 provides more paths for cross-site scripting attacks, because the content is often user-generated. Indeed, the use of AJAX creates more opportunities for mistakes. All of these are solvable, of course, but as the complexity of web software increases, the security issues will become paramount.

There are two pitfalls ahead of us:

  1. extreme paranoia: old-school IT managers may say “see, web 2.0/AJAX is insecure.” No, web 2.0 and AJAX are not inherently insecure. Don’t discount these new technologies because of security FUD.
  2. history repeats itself: new web 2.0 hackers may repeat the exact same mistakes that the old web hackers (including me) made in the late 1990s. They’ll continue to claim that “there’s nothing wrong with cross-domain AJAX,” continue to ignore the requirements of big IT shops with firewalls and large install bases and high liability in case of data loss, and they’ll forget about defense in depth. Remember how everyone loves to blame Microsoft for the lack of security in its applications? The same applies here. If you run a web 2.0 application, you’re responsible for the security of your users, to every possible extent.

The future of rich web applications is very bright, and security will be a major issue, just like it is in every network computing field. It’s going to be an interesting next 2-3 years.

UPDATE: How could I miss this report from F-Secure. That’s right, security companies and virus watchdogs are talking more and more about web vulnerabilities.