RSA Presentation

Last week San Francisco hosted the RSA USA 2010 Conference. I gave a presentation with the buzzword-heavy title, “Does Web 2.0 Need Web Security 2.0?“. (The presentation was lamentably labeled Advanced, even though it didn’t touch on in-depth technical details.)

The basic premise is that the term “web 2.0” as typically used bears little meaning for security (or otherwise). Most of the security problems of today, let alone the types of web sites, have precedents at least 10 years old. The distinguishing factor is that, although most of the vulnerabilities have remained the same, the number and sophistication of threats has increased.

Of course, there are emerging areas for web development and security, specifically the shift toward heavy client-side computing with JavaScript. So, while sites may be adopting new design patterns based on JSON, the xmlHttpRequest object, and DOM manipulation, they may also be lagging behind on enforcing state management, authorization, and authentication for the server-side aspect of the web site.

As developers continue to struggle with securing complex web applications, consumers of these allegedly 2.0 sites, i.e. Infrastructure, Platform, or Software as a Service, face security and privacy concerns outside of technical vulnerabilities like XSS or SQL injection. Information has value and when the information resides solely in the browser, attackers don’t need to worry about buffer overflows or firewalls in order to compromise that data.