Last week San Francisco hosted the RSA USA 2010 Conference. I gave a presentation with the buzzword-heavy title, “Does Web 2.0 Need Web Security 2.0?“. (The presentation was lamentably labeled Advanced, even though it didn’t touch on in-depth technical details.)
The basic premise is that the term “web 2.0” as typically used bears little meaning for security (or otherwise). Most of the security problems of today, let alone the types of web sites, have precedents at least 10 years old. The distinguishing factor is that, although most of the vulnerabilities have remained the same, the number and sophistication of threats has increased.
As developers continue to struggle with securing complex web applications, consumers of these allegedly 2.0 sites, i.e. Infrastructure, Platform, or Software as a Service, face security and privacy concerns outside of technical vulnerabilities like XSS or SQL injection. Information has value and when the information resides solely in the browser, attackers don’t need to worry about buffer overflows or firewalls in order to compromise that data.