The Vulnerability of Web 2.0 Technologies

Web 2.0 technologies are fraught with vulnerabilities. Seventy-one percent of all security vulnerabilities were attributed to both open source and commercial Web applications, according to a report by security firm Cenzic Inc., “Application Security Trend Report for Q4 2007.”

But before you freak out, let's put this in perspective. Cenzic is a security firm, which offers many products, which boast “complete web application security vulnerability management, and security enforcement assessment software.” With software like that to sell, their report surely isn't going to tell you that Web apps are safe and secure.

This is fine, because as we all know they are not. So let's take a look at their findings.

• Applications written in PHP comprise roughly 30 percent of all vulnerabilities.
• Roughly 70 percent of the reported vulnerabilities are easily or trivially exploitable.
• Vulnerabilities in Web server or Web application server technologies comprised around 10 percent of the total reported Web application vulnerabilities.
• Vulnerabilities in Web browsers comprised roughly 5 percent of the total reported application vulnerabilities — down three percent from Q3 2007.

The report also focused on the Web application hacking techniques, which subsequently showed “a continuing sophistication” among hackers to “exploit client-side security issues”. While many of these attacks used malicious code embedded within compromised Web applications, JavaScript hacking techniques emerged as well.

From its research, Cenzic selected the Top Five Web hacking trends of 2007:

• Javascript Trickery: Hiding, Anti-Pinning, and Mutating
• Universal XSS in Adobe Acrobat Reader
• Mass-SQL Injection Worm
• Google Gadgets, and Gmail Hacks
• ORKUT XSS Worm

Ultimately, after analyzing vulnerabilities across high-level categories, web browser, probe and attack data by incident, category and sector and attacker motivation, Cenzic summarized that:

“Despite the growing importance that many organizations place on protecting confidential user data, architectural and design flaws, as well as insecure application configurations are still common culprits in the exposure of sensitive user information.”

It's hardly revolutionary to suggest that with any new technology there will be vulnerabilities. It's unsettling, but not unexpected. It's a lesson in due diligence and in keeping up-to-date with the latest releases and news.

Like other crucial elements to the user experience, the security of your web applications is not one to let fall by the way-side.

Related Enterprise 2.0 Articles

• Persuasive 2010: Last Call for Paper Submissions
• SocialFest: Building Enterprise 2.0 Apps on SharePoint
• Google Challenges Compliance Competitors with New Postini Features
• Flurry: Analytics for Mobile Application Developers
• Google Extends Google Apps Script to Standard Edition Users
• FMYI Celebrates Massive Growth with New Brand Video
• Mobile Instant Messaging Added to Bitrix Intranet Portal

From our Job Board  View all jobs | Jobs RSS feed | Post a job right now

• UI Developer at DotNetNuke
• Web Dev Badass at InterWorks
• Front-end Engineer at isocket
• Platform Architect at MyWire
• IT Business Development Manager / Sales Executive at ISIS Papyrus
• Product Support Engineer at Digitech Systems
• UI Designer at Mochi Media
• SharePoint Developer at Metalogix

Featured Events  View all events | Events RSS feed | Add your event

• Feb 17, 2010 – Webinar: 4 Essential Strategies for Advancing Your Website's Business Impact
• Feb 26, 2010 – Intelligent Content 2010
• Apr 21, 2010 – Drupalcon San Francisco 2010
• May 5, 2010 – CMS Expo 2010 (Evanston)
• Oct 7, 2010 – HartmanEVENT 2010 - Social Media & Mobile Usability