Web 2.0 Security


Please use the Comments and Attachments features below (once you are a member) to post your own thoughts and use cases.


The Web 2.0 Security page is being developed to enable IT government professionals to share information on implementing Web 2.0 applications safely and securely.  The information in this section is intended to spark discussion and be a forum for information exchange.  As we all know there is no one “perfect” way to implement new application services from a security standpoint and Web 2.0 is not an exception to this rule.  Any new technology has inherent risk and vulnerabilities from a technical and human standpoint.  Our goal is to identify Web 2.0 risks and vulnerabilities in an unbiased manner and discuss options and experiences in reducing vulnerabilities and their associated risks. 

General Web 2.0 Security Reference Reports - Below are general Web 2.0 Security Reference Reports

State of Web 2.0 use, policies and security worldwide - http://www.net-security.org/secworld.php?id=7535 and here is the Websense report that is referenced in the article.

Social Networking and National Security: How to Harness Web 2.0 to Protect the Country
Gartner Web 2.0 Security Reports - I like these because most say that you should continue to deploy Web 2.0 technologies but you need to address security issues.  The articles all look at security from the application side and less on the network side.  My opinion is that the new security threats will be from the application development side.  Plugging holes in the network will not be enough.  
                March 5, 2008, Security Features Should Be Built Into Web 2.0 Applications
                February 19, 2008, The Creative and Insecure World of Web 2.0
                Movember 2, 2006, Web 2.0 Needs Security 101 (This one really talks about RSS and AJAX but it is a bit dated)
SANS Institute Web 2.0 Article
Espionage-Utilizing Web 2.0, SSH Tunneling and a Trusted Insider - http://www.sans.org/reading_room/whitepapers/incident/2098.php
Top 10 Cyber Menaces in 2008 (Web 2.0 is #8 in this report) - http://www.sans.org/2008menaces/?utm_source=web-sans&utm_medium=text-ad&utm_content=text-link_2008menaces_homepage&utm_campaign=Top_10__Cyber_Security_Menaces_-_2008&ref=22218 -

Other General Web 2.0 Security Links & White Papers
Of course there is an O'Reilly book on this topic.  It is called "Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast".  I haven't read this particular book yet, but I have had good experiences in the past with the O'Reilly series.  This is the link to order it from Amazon.Com.

Web 2.0 Brings New Security Challenge - http://www.microsoft.com/midsizebusiness/businessvalue/Web-2-0-brings-new-security-challenges.mspx,

Experts Hammer Web 2.0 Security - http://www.infoworld.com/article/08/02/21/Experts-hammer-Web-20-security_1.html

Top 10 Web 2.0 Security Attach Vectors - http://www.net-security.org/article.php?id=949

Web 2.0 Security Whitepaper by Trustix  for free download- I like this one because it is recent, useful and has specific technical information

Top Web 2.0 Security Vulnerabilities - The Secure Enterprise 2.0 Forum releases their Top Web 2.0 Security Vulnerabilities. 
Web 2.0 Application Security (Application Developers- you need to understand this)
 As I have read more on Web 2.0 security it has become apparent to me that the application side of things will be a major source of our vulnerabilities as we move to Web 2.0.  This will be for Web 2.0 applications that we run internally as well as externally.

This is a great article that gives a general understanding of Web 2.0 application security. - http://www.owasp.org/images/b/b6/Jeopardy_in_Web_2.0_-_The_Next_Generation_Web_Applications.pdf

The Open Web Application Security Project (OWASP) is a free and open application security community.  There are many good resources on Web 2.0 security.

For those developing Web applications in .NET, here is Microsoft's link to "Improving Web Application Security: Threats and Countermeasures"
AJAX Security Information
Ajax has become one of the main tools for developing more interactive capabilities on the web so it is important the when we deploy or utilize Web 2.0 applications we understand how Ajax works.  See for examples of how Ajax can be used http://www.designvitality.com/blog/2007/10/43-exceptionally-useful-ajax-applications/ Ajax builds upon past web applications tools and broadens their capabilities.  The new functionality has created a more challenging environment from a security standpoint. Below are some points of reference for understanding Ajax and how to reduce security exposures.

Reduce Your Exposure to Ajax Threats - This give a quick overview of how you can reduce your risks and it also has many good links to other reference materials. - http://www.theregister.co.uk/2008/02/18/simple_ajax_security/

Ajax Security Basics - This article is somewhat old (2006) but I like it because it explains how Ajax works in an easy to understand format so I can better understand the vulnerabilities and how to assess an application. - http://www.securityfocus.com/infocus/1868/2

Wikipedia - Definitions and links on Ajax - http://en.wikipedia.org/wiki/AJAX
Web 2.0 Application Security Scanning
In order to assist in determining if applications are being developed in a secure way in Web 2.0 some companies are coming out with scanning tools for web applications.  These types of services could be useful as governments deploy and utilize Web 2.0 applications. Here is an example of one of these types of services.

Oct 2008 - Qualys Releases QualysGuard PCI 3.0 with Web Application Security. - http://www.reuters.com/article/pressRelease/idUS111980+01Oct-2008+BW20081001

Identity 2.0 & Open ID
As we continue to expand the use of Web 2.0 technology into our business and personal lives, the security of our personal identity becomes more important.  Protecting and using your personal identity as you choose and when you choose will be one of the most important developments to expand Web 2.0 deployment.  Below is a collection of websites describing Identity 2.0 and OpenID developments and more places to get information.  Several companies are developing Identity 2.0 services and solutions.  They are quite interesting and seek to reduce complexity and risks associated with current identity processes on the web.

 A definition of Identity 2.0 - http://en.wikipedia.org/wiki/Identity_2.0

Articles and bloggers on Identity 2.0. by Dick Hardt Founder & CEO of Sxip Identity, also includes Dick's 2005 Keynote at OSCON which Identity 2.0 fans claim is a "must see". -http://identity20.com/

Open ID is a solution based on Identity 2.0 concepts.  Widipedia provides a definition. -  http://en.wikipedia.org/wiki/OpenID

Another source of definition of Open ID. - http://openid.net/what/

Open ID Foundation - an organization that seeks to promote and enable Open ID technology. - http://openid.net/foundation/

Link to Yahoo's Open ID beta site. - http://openid.yahoo.com/

Blogging and Microblogging Security

It has been difficult to find information specifically surrounding blog security as a topic.  Yes, there have been security breeches but most were addressed as isolated instances instead of a product or software issue.  It would be wise to spend some time researching your particular technology product's security.  This topic seems to be evolving slowly or just bundled in with other more general Web 2.0 security issues.  Only one site has information specifically on blog technical security. 

BlogSec deals with social network and web blog security. - http://blogsecurity.net/

Other areas deal with isolated instances and products as seen below.

A short blog on Yammer Security - http://info-architecture.blogspot.com/2008/11/implementing-enterprise-microblogging.html

A real story on Twitter Security - http://brianshaler.com/blog/2008/11/23/twitter-security-issue/

Gartner deals with blogging and microblogging security in the more general topics of Web 2.0.  See above.


Second Life Security Reference Reports 


NEW Information - Second Life announced April 1, 2009 that they are beta testing a behind the firewall version of Second Life.  This will enable government entities to have a private secure space and a public open space which is essential in public sites.  See the blog post https://blogs.secondlife.com/community/grid/blog/2009/04/01/second-life-lives-behind-a-firewall for more information.


Gartner Second Life Security Reports

            July 13, 2007, Three Challenges That Enterprises Face in Using Second Life

October 22, 2007, Five Reasons for Governments to Have Second Life and Five Reasons Not To

December 11, 2007, The Benefits and Pitfalls of Conferencing in Second Life

August 14, 2007, How to Create Effective Security in Virtual Worlds

July 13, 2007, Enterprises Face Security and Risk Management Issues in Virtual Worlds


Here are some sites Bill Greeves references earlier on Second Life:


With regards to other security concerns, I have also found a few other instances of "concerns":

* A few years ago, the SL user DB was hacked and user account info was potentially compromised.  Some users provide credit card info to fund the fees associated with land ownership, etc.  As far as I can tell, the issue was resolved without any leaks in personal info (http://secondlife.com/corporate/bulletin.php)

* The fed govt has been watching second life as they fear it has the potential to be a recruiting area for terrorists groups (http://www.salon.com/opinion/feature/2008/02/25/avatars/)

* Some people who use virtual worlds have become a little obsessed and take their online life to extremes with cyberbullying and stalking: http://www.msnbc.msn.com/id/27337812/ (Yes, I know - very bizarre!)

Here are some other relevant resources regarding security:

Plugin architecture Security - http://wiki.secondlife.com/wiki/Plugin_architecture_Security

What antivirus processes does Linden Lab use to test Second Life? http://wiki.secondlife.com/wiki/What_Is_Our_Antivirus_Protection_Policy

Periodically MuniGov 2.0 will publish security articles based local government discussions and requests.  To request a topic for research in Web 2.0 security, e-mail lfuentes@hampton.gov with your contact information and requested topic.  Request should be from local government entities seeking to utilize Web 2.0 technologies. Articles will be written by IT Local Government staff and executives unless otherwise stated. 

A new security report has been published.  See MuniGov Web 2.0 Security Articles to read about how to secure your land and sites in Second LIfe.  User access is also discussed with links for more resouces.  A summary table of user and land access capabilities is also included.