The Secure Enterprise 2.0 Forum Issues Report on Web 2.0 Security Risks

NEW YORK, US – February 17, 2009 – The Secure Enterprise 2.0 Forum issued a report today revealing the top Web 2.0 security threats for business. The report highlights threats that are specific to Web 2.0 technologies, as well as “older” threats that are made more pernicious through “Web 2.0-type” behavior, such as wide-spread content sharing, community participation, and viral distribution of applications, widgets, and content.

The report identifies key Web 2.0 security threats, including the following:

• Cross Site Scripting (XSS) – malicious input is sent by an attacker, stored by a system, and then displayed to other users. Systems that allow users to input formatted content, such as HTML, are more susceptible to XSS and malicious scripts. This type of functionality in which many users can create content viewed by other users is typical to Web 2.0 systems such as social networks, blogs or wikis, making Web 2.0 applications especially vulnerable to XSS. Web 2.0 applications rely heavily on user-generated input. In order to allow the user great control over the content design, applications often allow HTML tags that are not safe and can be abused for XSS.
• Cross Site Request Forgery (CSRF) / Cross Gadget Request Forgery (CGRF)– the victim visits a malicious web site. While content is displayed on the victim’s browser, the malicious site code generates requests to a different site to which the victim is authorized, for example through a persistent cookie. Such requests can perform operations on behalf of the victim, even across insecure gadgets on the same web page.
• Phishing – the victim receives by email a request to install a fraudulent widget, or is redirected to a fraudulent web site in order to fill an online form with sensitive information.
• Information Leakage – Web 2.0 applications promote user-generated content and thus blur the line between work and private life. As a result, users may publish as part of their web presence, information considered sensitive by their employer. Even if users are careful and do not leak information that is by itself sensitive, the aggregation of many small data items may be unacceptable.
• Injection Flaws – Web 2.0 is vulnerable to new types of injection attacks, including XML injection, XPath injection, JavaScript injection and JSON injection. In addition, because they rely heavily on client-side code, Web 2.0 applications more often perform some client side input validation which an attacker can bypass.
• Information Integrity – Information correctness is one of the key elements of data security. While we usually think about loss of integrity due to a malicious hack, unintentional misinformation also leads to loss of integrity.
• Insufficient Anti-Automation – The programmatic interfaces exposed by Web 2.0 applications enable an attacker to automate attacks. Two examples of automation include brute force attacks and CSRF. Other examples include automated retrieval of a large amount of information and automatic opening of accounts, for example as part of a phishing attack.

“Companies are looking to incorporate popular Web 2.0 tools and services into their business toolbox, whether for marketing, brand awareness, customer service or streamlining business processes. Yet, many organizations are simply unaware of the risks and security challenges inherent in Web 2.0 technologies,” said David Lavenda, Secure Enterprise 2.0 Forum Member and VP Marketing and Product Strategy at WorkLight. “Blocking these technologies is simply not a solution. Today, most companies understand that. Instead, businesses need to look for ways to take advantage of these essentially free tools, while protecting corporate assets, and customer identity and personal information.”

Analyst reports have indicated that businesses have a growing interest in using widgets, social networks, mobile applications and other Web 2.0 tools for business. According to a McKinsey survey of companies, 87 percent of respondents plan to use Web 2.0 to interface with customers Among the top goals were to improve customer service (73 percent) and to acquire new customers (71 percent). Yet many companies are still in the dark when it comes to the security challenges involved with these tools.

Moreover, 78 percent of IT organizations are concerned about the risks of employee-driven, unsanctioned use of Web 2.0 tools and technologies, according to a leading industry analyst reports.

“Companies can address these security vulnerabilities head-on by enforcing strict policies, coupled with unique technological safeguard mechanisms,” said Ofer Shezaf, web security expert and author of the report. “Business data and customer information can be protected if IT departments recognize these associated risks and prepare accordingly.”

Click here for a free download of The Secure Enterprise 2.0 Forum report on Top Web 2.0 Security Threats