Top Web 2.0 Security Vulnerabilities Unveiled
The Secure Enterprise 2.0 Forum Issues Report on Web 2.0 Security Risks
NEW YORK, US – February 17, 2009 – The Secure Enterprise 2.0 Forum issued a report today revealing the top Web 2.0 security threats for business. The report highlights threats that are specific to Web 2.0 technologies, as well as “older” threats that are made more pernicious through “Web 2.0-type” behavior, such as wide-spread content sharing, community participation, and viral distribution of applications, widgets, and content.
The report identifies key Web 2.0 security threats, including the following:
• Cross Site Scripting (XSS) – malicious input is sent by an attacker, stored by a system, and then displayed to other users. Systems that allow users to input formatted content, such as HTML, are more susceptible to XSS and malicious scripts. This type of functionality in which many users can create content viewed by other users is typical to Web 2.0 systems such as social networks, blogs or wikis, making Web 2.0 applications especially vulnerable to XSS. Web 2.0 applications rely heavily on user-generated input. In order to allow the user great control over the content design, applications often allow HTML tags that are not safe and can be abused for XSS.
“Companies are looking to incorporate popular Web 2.0 tools and services into their business toolbox, whether for marketing, brand awareness, customer service or streamlining business processes. Yet, many organizations are simply unaware of the risks and security challenges inherent in Web 2.0 technologies,” said David Lavenda, Secure Enterprise 2.0 Forum Member and VP Marketing and Product Strategy at WorkLight. “Blocking these technologies is simply not a solution. Today, most companies understand that. Instead, businesses need to look for ways to take advantage of these essentially free tools, while protecting corporate assets, and customer identity and personal information.”
Analyst reports have indicated that businesses have a growing interest in using widgets, social networks, mobile applications and other Web 2.0 tools for business. According to a McKinsey survey of companies, 87 percent of respondents plan to use Web 2.0 to interface with customers Among the top goals were to improve customer service (73 percent) and to acquire new customers (71 percent). Yet many companies are still in the dark when it comes to the security challenges involved with these tools.
Moreover, 78 percent of IT organizations are concerned about the risks of employee-driven, unsanctioned use of Web 2.0 tools and technologies, according to a leading industry analyst reports.
“Companies can address these security vulnerabilities head-on by enforcing strict policies, coupled with unique technological safeguard mechanisms,” said Ofer Shezaf, web security expert and author of the report. “Business data and customer information can be protected if IT departments recognize these associated risks and prepare accordingly.”