IAPP-GDPR Web Banners-300x250-FINAL

Michael Weider

A car that has fewer options has fewer things that can break. Power steering, power locks, power seats, seat warmers and the myriad of other car features provide a better experience, but they also have more items that require maintenance.

The same complexities we see with a fully loaded car apply to Web functionality. Web 2.0 has arrived, and the race to adopt it has brought with it collaborative online environments - socially driven content that is redefining how Web applications are developed and used. The result is a richer, more fulfilling Web experience. The consequence, however, is that the dynamic new Web 2.0 design principals open a host of new means for attack by which Web 2.0-based applications are vulnerable and data privacy could be compromised. 

With the explosion of Web 2.0 concepts powering more and more Web sites, the Web is reaching new potentials for interactivity. But with that progress it becomes even more important to proactively address the heightened security and privacy vulnerabilities, as the same technologies that make for a more user-friendly Web, can also make for less secure Web applications.

This article highlights the most common Web 2.0 vulnerabilities that privacy and security professionals need to be aware of, including better understanding for how Web services and AJAX can be exploited and the attacks that they can enable. Readers will also learn tips and best practices for securing next-generation applications that can be applied immediately as enterprises continue the push to deploy Web 2.0, ensuring they can meet current and future online security challenges.

What Is Web 2.0?
Web 2.0 carries a high profile and surrounding hype. There is increasing pressure on developers to quickly adopt this new second generation of dynamic, interactive and simple by design technologies. Web 2.0 can be described in two ways:

1) New ways to build rich Web sites.
Often not characterized as Web 2.0, Asynchronous JavaScript (AJAX) and other new rapid application development techniques are en vogue to create rich Web sites that are highly interactive and more easily deployed and used.

AJAX delivers a rich user interface by displaying more dynamic content. Another common technique is Real Simple Syndications feeds (RSS), an XML-based standard that allows subscribers to promote information feeds. This most commonly is used to subscribe to blogs and news articles.

2) Socially driven content.
Think The Web experience is now defined by community and by content created and posted by Web users. Web sites are now amorphous entities, and their vitality is defined by the people who visit them.

In the last couple of years the Web has moved from a collection of static pages to a more interactive and dynamic environment. This shift has been heralded as Web 2.0 and has given more users more power. No longer is the Web a place where only technical folks can produce content. Instead, with the click of a button, non-technical users from children to seniors are able to upload information to personal or corporate sites, produce interactive pages or share content. Popular dynamic sites such as YouTube, MySpace and Flickr are the poster children for this new Web world.

Why Adopt Web 2.0 Technologies?
Competition and ease-of-use are at the top of the list as reasons why Web 2.0 is attractive. Like viral marketing, more companies want to communicate more directly to their prospective and current customers. Building sites that include interactive messaging, commenting and user areas allows for more open communication gates. Users can interact with other users and company executives.

Price is also a consideration. Web applications have proven to be more cost effective than their clunky client-server counterparts. Web 2.0 applications, built with Rapid Application Development (RAD) techniques, are built faster and therefore require even less of an investment.

Web 2.0 Dangers
With Web 2.0, the functionality and experience of the sites become the primary focus, and the technology empowering the dynamic content is hidden behind the scenes to the average user. Yet the Web applications underneath the polished finish remain just as complex, and add a variety of new and often unproven or unsecured technologies to the back end.

In the rush to unveil more interactive sites, developers are urged to release functional sites that often lack added security measures. Attackers have quickly learned to exploit the shortcomings in these codes. If hackers are able to get at sensitive information, your organization runs the risk of a data privacy breach not to mention being non-compliant with a host of mandated legislation. This has resulted in an urgent need to audit and assess these sites for security vulnerabilities. In order for Web 2.0 technologies to reach full potential, inherent security issues must be recognized and addressed and businesses must incorporate security best practices into application development.

In addition to structural security flaws, there are also user threats, including the loading of malicious content. Sites that encourage end user postings typically have no way to stop the uploading of content that might distribute malicious code to other site visitors. In similar ways, other user-driven Web sites, including blogs, podcasts and social networking sites, are prone to both security and privacy issues.

For example, many sites offer members the ability to send news bulletins to other members. When a member submits his or her individual bulletin, a URL is automatically sent to the user's requested friends. One published instance highlighted that by simply changing the bulletin ID number, users were able to access the news bulletins of other members, which they had not received notification about, and were able to read the contents. Being able to view the postings of others without permission is a significant privacy glitch and while it seems as though democracy has come to the Internet, more freedom means increased potential for abuse and errors.

As in our car example, the new features create new avenues for exploit. The majority of Web 1.0 users interacted with single functions on single pages. Now AJAX programming allows any given page to have dozens of features and functions, running independently as well as interacting with each other. This means a fragmentation in communication and the possibility that Web application vulnerabilities that have been around for years might increase exponentially. The most common vulnerabilities include SQL injection, cross site scripting (XSS), buffer and SOAP overflow and XML attacks.

The dependence on technology means the new vulnerabilities brought by Web 2.0 are inevitable. Back in the old days of the Web - even three or four years ago - users could boost security levels by turning off JavaScript. Doing so now would all but render the Web site useless. In effect, the user would be disabling the exact tools that make the Web useful and efficient.

Why Does My Organization Need to Worry About Web 2.0 Safety?
Organizations of all sizes and in every market with an Internet presence have been attacked. Media reports show regular coverage of the larger companies, such as MySpace, suffering from a QuickTime XSS worm, Yahoo Mail recently being hit by a Yamanner worm attack, and even Google's Gmail has had to overcome XSS problems.

As in any other case of negative publicity, there is damage to the brand name and potential lost business if your Web applications fail because of security threats. But a greater risk is that sensitive data could be compromised - and with that comes everything from minor legal headaches to large lawsuits.

How Do I Protect My Web Applications?
One of the most effective solutions is to fix weaknesses before they are ever launched. While it sounds like a common sense suggestion, most applications are not built with security in mind.

Overworked developers, who are not trained in security, are not building application level security into the process. As stated, one of the benefits of Web applications is the speed to market. But with this comes the downside that long development cycles, which normally include heavy QA and security testing, are discarded in favor of posting applications live as soon as they are functional.

In order to ensure safe and working Web applications, companies should adhere to strict security testing standards from the development phase through the QA phase of the building cycle. This can be done through use of security scanning tools and penetration tests. And with such a dynamic nature, it's important to continue periodic post-deployment security testing to monitor the live state of the Web site and its ever-changing applications.

Another important - but sometimes overlooked suggestion - is to monitor metrics on Web application vulnerabilities throughout the development cycle. Keep track of all vulnerabilities and fixes. Management can't address issues they don't know about.

Monitoring vulnerabilities across the development cycle has a huge impact on the educational front as well. To stop the cycle and reel in control over Web application security, developers need to know what mistakes are made so they don't continue to repeat them. Companies can also set limits on what types of content can be changed or uploaded. An organization's users can be educated as well, letting them know about dangers and how to prevent them while online.

While more user interaction may be the ultimate goal, it's important to first design threat models in order to determine what levels of risk the company can assume. A retail company's Web site, for example, can accept lower security standards for a Web application designed to locate a retail store near the user, while a higher security standard is required for the actual e-commerce and credit-card processing applications.

Lastly, Web 2.0 is here to stay, at least until new technology ushers us into the Web 3.0 phase. The trend is racing toward more user interaction and more power to the masses. With that in mind, be sure to use technology judiciously and learn how to manage risk with all your Web site applications.

Michael Weider is the founder and CTO of Watchfire (, a leading provider of software and service to help ensure the security and compliance of Web sites.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»