A famous definition of insanity is: “Doing the same thing over and over, and expecting different results”.[1] In the case of security threats as these relate to Web 2.0, we see the definition in action. As originally conceived, the InterNet was not designed to be secure, with the result that much of the benefit of this invention has been negated by pervasive and ongoing security threats. When wireless networking [which has strong resonances with Web 2.0 both as facilitator and exemplar] was introduced, it too had inadequate security, and the success of successive bolt-ins has been less than stellar, to put it mildly.[2] Adding Web 2.0 and its security issues to the mix simply exacerbates all of the problems of its predecessor technologies, while introducing additional vulnerabilities of its own[3].
This white paper provides a brief overview of Web 2.0 security issues, starting with an explanation of what makes Web 2.0 activities particularly vulnerable. It then reviews recent evidence of attacks and exploits, giving some flavor of the serious security situation Web 2.0 technologies represent. It concludes with some basic recommendations [none of which will be particularly new to those involved with IT security] which can counteract the dangers of Web 2.0 security issues, although as will be clear, there really is no permanent cure.
[1] This definition is commonly attributed to Albert Einstein.
[2] A classic wide-ranging argument supporting this point was Noam Eppel’s “The Complete, Unquestionable, and Total Failure of Information Security: A long-overdue wake up call for the information security community”, which, ironically, is currently unavailable at its original Web site – the author can make an annotated copy available on request..
[3] A quick look at how the “bolt-on” “ground up” approach to Web 2.0 security represents the baneful heritage of InterNet security in general is Carl Weinschenk’s post: “Web 2.0 Security and the Uncertainty Principle” at http://www.itbusinessedge.com/blogs/top/?p=323&nr=dye.
