Roger Thornton, Founder/CTO, Fortify Software –
Web 2.0 technologies are spawning an explosive growth in client-side processing (Ajax/Flex), distribution of executable content (JSON), and the mixing of code from multiple sources (Mashups).

These represent architectural decisions in applications and their underlying frameworks that were made in order to improve user experience and application functionality. However, if we are not careful, these design decisions will also lead to an explosion in vulnerabilities that can be exploited both on the client and the server.

One of the major underpinnings of “Web 2.0” is the introduction of rich client interfaces based on Ajax or Adobe’s Flex platform. These technologies can greatly enhance the web user experience transforming it from simple web forms to the direct manipulation of a rich set of UI controls typically found only in desktop software today.

This requires that more code, in the form of JavaScript, execute on the client. This programming model also introduces lightweight distributed-computing mechanisms, namely JavaScript Object Notation (JSON) which facilitates the use of JavaScript as the primary means of communicating between client and server. Unlike transporting HTML and XML, we will now be transporting much more executable content.

Historically, whenever we depend on more software outside our control on the client or on executable content shared between programs, we see an increase in vulnerabilities. So here comes this next giant new trend and this one is the perfect storm.

Not only are we going to push code onto the client and pass around scripting code, we are also going to mashup all this code and content from multiple servers on a single client. Andrew Jaquith from Yankee Group termed it best in his 10/2007 research report – “The Web 2.0 Security Train Wreck”.

Web 2.0 applications and frameworks encourage developers to put more code on the client, ideally to enhance client side usability. But this will lead many developers to mistakenly put business logic and other critical code into the client without understanding the resulting security implications.

We call this class of problem a Trust Boundary Violation. This happens when we place code that requires a trusted execution environment into a location that is potentially under the control of our adversary. These types of problems were extremely common when JavaScript first made its way into web development. Back then developers would put input validation code in JavaScript on the client side in order to avoid a round-trip to the server when the user entered erroneous data. This was fine if the erroneous input was accidental, however, if it were malicious, JavaScript running in his own browser would not foil the attacker. They would simply disable the JavaScript and enter the malicious input to an unsuspecting server program, likely to be vulnerable since it assumed the client side checks were made.

More code on the client is fine, if that code is all eye candy to enhance the user experience. It is definitely is not okay to put validation out there, and it’s absolutely not okay to put security controls out there.

While Web 2.0 will create a wave of vulnerable systems, it doesn’t necessarily mean that there are going to be new types of vulnerabilities: many of these problems are a rehash of the same old stuff that has simply found a new home. There’s going to be cross-sight scripting (XSS) explosion.

We may call them XSS problems, or give them fancier names like JavaScript Hijacking, but it’s fundamentally the same stuff. Careless handling of executable content is the underlying issue behind all variants of cross-site-scripting (and SQL injection for that matter). Any design that calls for two programs passing executable content across trust boundaries will have to be carefully implemented (and used) to avoid inevitable security issues. That will be the case forever, the next big thing that does this will be a security problem too if we don’t learn this and design accordingly.

We must become better at recognizing these problems in the abstract if we are ever going to build things right the first time. Building things wrong, then waiting for the security community to find the mistakes (while the criminals exploit them), and then reworking everything is a major waste of development capacity and an unnecessary risk for businesses that increasingly depend on these systems.

What do we need to do to prepare for the Web 2.0 Train Wreck?

To borrow a couple cliché’s: this train has already left the station and there is no stuffing the genie back in the bottle.

Your company is going to deploy lots of Web 2.0 technology and it will put your business at risk. What you can do is make sure that your security team is working closely with your software development teams (internal and 3rd party). Stay on top of the vulnerabilities and exploits as they become public and be sure you have a quick response setup to mitigate and repair any of your software applications that have Web 2.0 vulnerabilities.

At the same time we can all work on making sure software developers and system designers understand fundamental security concepts so that Web 3.0 can deliver on the astonishing functionality it will surely promise without putting our systems and data at such risk.

Tom Kendra, Group President, Symantec Corp. –
While increased internet connectivity has fundamentally changed the way we do business, it also has introduced new security and IT risks that make yesterday’s approach to security ineffective. Just as new ways of doing business were ushered in with Web 2.0, next-generation security practices must be adopted to ensure a more enlightened era of enterprise security.

Call it Security 2.0—an evolution in security that focuses not only on protecting systems and keeping hackers out but also on securing information and interactions. Security 2.0 is driven by policy, enabled by technology and strengthened by a well-managed infrastructure.

All large and publicly traded companies have IT and security policies they need to enforce. Developing security policies to meet the requirements of external regulations can be difficult and costly. Typically, these regulations do not include specific recommendations on what technologies and procedures a company should put in place to achieve and demonstrate compliance. Basing a security policy on frameworks such as ITIL, COBIT and ISO provides specific guidelines on what information a company needs to secure and what IT controls to implement.

In a Web 2.0 world, security policies must focus not simply on protecting devices but on securing information. After all, the primary purpose of the devices and systems that make up an IT infrastructure is to carry and contain the organization’s most valuable asset—its information. Consequently, a security policy must help organizations manage and control both inbound and outbound content to protect them from the inadvertent or intentional distribution of confidential and sensitive information.

The growing sophistication of today’s attacks and the varied risks that businesses face in today’s connected world calls for security that is both scalable and layered. In addition, businesses must operationalize security by standardizing and automating the processes and the software. This will allow organizations to drive down the costs of day-to-day security activities so they can be more proactive when it comes to protection.

Companies need to have adequate antivirus, antispyware, and other signature-based protection in place. However, these measures are no longer enough on their own and must be layered with more proactive types of protection such as whitelisting or behavioral-based protection that analyzes patterns and reputation to block targeted threats before they happen.

Protecting the network must also be considered. Technologies like Network Access Control and anti-spam appliances are becoming commonplace within large and mid-size businesses to prevent bad things from entering the network. Data loss prevention (DLP) solutions are ideal for protecting the good things—sensitive information like customer credit card data or intellectual property—from exiting through the network.

As security becomes a foundational component of business, the traditional way with which companies manage it must change. A next-generation security strategy should embed security throughout an organization’s business processes. Security policies, workflows and technologies must span disconnected organizations to address the interconnected risks that threaten the organization as a whole, because the organization is only as protected as the weakest link in the security chain.

Tom Kendra is Group President, Security and Compliance Management Group, at
Symantec Corp.

Maksym Schipka, Senior Architect, MessageLabs –

I have been spending a lot of time recently exploring the criminal underworld. The shadow internet economy is a $105 billion business and involves tens of thousands of participants – a market even bigger than the global drug trade.

As senior architect and chief malware researcher at messaging and web security provider, MessageLabs, I am on the front lines of the internet daily, exploring and infiltrating the very websites and chat rooms that the bad guys are using to assemble their next attack.

Speaking Russian fluently, I am able to understand more of the websites, chat forums and exchanges that are very active in online crime. What I have discovered is disturbing. The shadow economy is more specialized and sophisticated than we ever believed possible. Online criminals boast of making $10,000 a day and there is little chance of ever being caught. The shadow economy operates similarly to the global economy with price competition, division of labor, specialized trade and marketing.

The crime starts with the malware author who creates a new virus, Trojan or spyware to infect a computer. These authors market their software in the hopes that a middleman will buy it. Off-the-shelf malware sells for about $250, and $25 per month gets a subscription to updates that will ensure the program evades detection. The middleman uses a botnet to spread their newly purchased malware, using its massive computing power for widespread spamming. As innocent, unassuming computer owners begin to respond, the middleman collects stolen credit card numbers with complete identities which he can sell for around 3 percent of the remaining card balance.

Some middlemen make a business out of laundering stolen credit cards, using a drop service to receive the goods purchased with a stolen credit card. An elaborate system of guarantors and escrow accounts has also emerged to regulate transactions in the underground. This proves that the market is growing more and more sophisticated and is driven by economics and the participants who value their long-term reputation in the shadow economy.

It is clear that the front runners in the shadow economy are constantly working to improve the quality of the products that they sell, testing them against anti-virus mechanisms to guarantee their products are effective. Every time a vendor updates its anti-virus product, the malware author creates a new version. In fact, malware authors can produce new malware as fast as every 45 seconds to keep it undetected.

For those of us in malware detection, this means that there is no end to malware in sight. Heuristic detection is the only surefire way to prevent the bad guys from propagating more malware.

Jack Rogers, Content Editor —
I am pleased to welcome all of our website visitors to the new SC Magazine Awards 2008 Blog. The Awards Blog will feature commentary from C-level executives of our SC Awards finalists, who will be posting their thoughts on current trends in our industry and the key challenges facing all organizations in today’s high-risk security environment. It is our hope that these high-level blog postings will provoke an ongoing dialogue among the industry leaders that are included in this year’s list of finalists. We also are inviting our readers and site visitors to comment on the Awards Blog postings.

All subjects related to the critical issues and challenges facing our industry are open to discussion on the SC Magazine Awards 2008 Blog. We ask only that bloggers avoid product-specific commentary in your postings, so we can maintain a high-level discussion that cuts across all sectors of the diverse universe that encompasses IT security.

We want to make it as easy as possible for you to participate in our new SC Magazine Awards 2008 Blog. All you have to do is email your blog postings or commentary to me at jack.rogers@haymarketmedia.com, and I will post them on our site.

Here are a few simple guidelines:
Blog submissions should not exceed 500 words.
All submissions should be vendor-agnostic and exclude product/service proselytizing.
Blog postings and commentary should focus on topics, trends and risks most relevant to today’s security industry.
Blog submissions must include byline, title and company name for author.

I’m sure you agree that our new SC Magazine Awards 2008 Blog is an excellent way for the security thought leadership of our industry to address the key issues facing everyone in IT security. Once again, welcome to the Awards 2008 Blog!
Jack Rogers
Content Editor
SCMagazineUS.com