Web 2.0: How Secure are Your Sites?

By John McCormick Print this article Print

A growing number of Web sites allow customers to upload content, but security experts warn that these files could be infected with malicious code. Some tips for Web 2.0 security.

Corporate America's embrace of Web 2.0 technologies appears to be growing—but so, too, is a feeling of increased vulnerability.

Almost 75% of the information-technology managers polled recently by CIO Insight, which, like Baseline, is a Ziff Davis publication, say the advent of Web 2.0 technologies will increase their security risks over the next three years. CIO Insight has also pointed out that most technology managers see the big security issue as information leakage—workers posting trade secrets and such on their blogs.

But there's the other threat of someone—even a customer or partner—loading malicious content to a Web 2.0 site. And few companies seem to be prepared for that kind of problem.

"Here we're seeing some new, interesting potential problems," says Michael Weider, chief technology officer at security software and services company Watchfire. "Allowing people to upload content and images to your Web site, with no filters around what they can do, is definitely a cause for concern."

Web 2.0, broadly defined, refers to the technologies and culture behind user-driven applications such as blogs, podcasts, social networks (like MySpace), wikis and Really Simple Syndication (RSS) feeds. Over the past couple of years, companies have been using these applications to get closer to their customers. General Motors and Microsoft are just two of the companies that have corporate blogs. Most media outlets now offer RSS feeds, which facilitate blog and news updating.

But a number of Fortune 500 companies have also started to allow customers to upload personal videos and other material to their sites. An advisory just out from Finjan, the computer security software maker, outlines the danger here: "Since Web 2.0 platforms enable anyone to upload content, these sites are easily susceptible to hackers wishing to upload malicious content. Once the malicious content has been uploaded, innocent visitors to these sites can also be infected, and the site owners could be potentially responsible for damages incurred. What makes matters worse is that the vast majority of these sites [are] considered legitimate by URL Filtering/Categorization products, and as such will not be blocked despite the fact that they contain malicious code."

And Finjan says it has discovered malware embedded in JavaScript code and images that take advantage of browser vulnerabilities. "We found them and it's real," says Yuval Ben-Itzhak, chief technology officer at Finjan, about the danger.

Yet security experts such as Ben-Itzhak and Weider say corporations haven't really been thinking about, much less planning, how to protect these sites.

"[There's] not much thinking about the implications," Weider says. Corporate security personnel aren't that versed in Web 2.0 technologies, he explains, and even security companies such as his own are still developing Web 2.0 testing and countermeasures. "We're at that very early stage of really understanding these problems," he says.

But CIOs and CSOs should be taking any number of steps to better defend their Web 2.0 sites, say security experts. Granted, many of their recommendations are just good common sense, but they're worth repeating:

1. Set policies on what can and can't be uploaded. It's just like e-mail, according to Aaron Emigh, a security expert at blogging software maker Six Apart; companies need to decide what they will allow. Nail down a threat model and decide what threat level you're willing to tolerate.

2. Screen content, and employ behavior-based security analysis tools. Installing screening tools that can look at content before it is uploaded, Weider says, may seem pretty basic, but he notes that the practice is far from universal. And, he says, be aware that people may include links in their uploads that point to other sites that contain malware. Also, screening tools won't catch everything. Emigh says, so you may want to contract with a consultant that does penetration testing.

3. Employ a layered defense. Another one of those things that goes without saying these days, but it's good to remember that no one tool or policy will protect you from all threats.

"As we allow more and more control from users to create their own Web content," says Watchfire's Weider, "we're going to have more and more challenges to protect the end users."

John Mccormick

This article was originally published on 2006-12-04
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.