You will be redirected in 30 seconds or close now.

ColdFusion Authors: Yakov Fain, Jeremy Geelan, Maureen O'Gara, Nancy Y. Nee, Tad Anderson

Related Topics: ColdFusion, Machine Learning , Agile Computing

ColdFusion: Article

Did You Get the Web 2.0 Memo?

No, you did not miss the memo or a software upgrade notice, yet you've already arrived at Web 2.0

What’s Secure?
When discussing Web 2.0 security, keep this dynamic in mind: AJAX is not insecure but many insecure Websites today are built with AJAX.

Over time, we have vetted the majority of security issues with the underlying protocols for Web 1.0. Today, however, the layering of new next-generation programming languages on top of these protocols in Web 2.0 has given the Internet’s bad guys a whole new set of opportunities to exploit. A great example of this would, of course, be AJAX , the popular Web 2.0 programming language. The asynchronous nature of AJAX clearly improves the users experience on a Website by taking interactivity to an entirely new level. However, it also dramatically increases the chances that things can go terribly wrong from a security perspective.

Here’s why: older synchronous programming languages restricted interaction to that of a defined and orderly format – safeguarding us all from security chaos. In stark contrast, AJAX operates asynchronously, whereby actions do not necessarily follow a defined orderly format. The result: it’s nearly impossible to fully vet out any potential bugs that could result in security issues. All of the risks associated with any programming language (such as race conditions, code correctness, object violations, and incorrect error handling) are amplified significantly when operating in an asynchronous environment such as that provided by AJAX.

The mere use of AJAX in Web 2.0 applications can increase the possible threat envelope due to the increased interactivity with the user’s browser. Further, if the Website-based AJAX program also needs to interact with the JavaScript that runs on the user’s browser, an additional security risk is now added to the risk equation.

Some pundits argue that AJAX by-and-of-itself is not at fault and that AJAX does not increase the threat envelope. Instead, they would argue, the real issue is AJAX programmers. By using AJAX to increase application functionality, the programmer theoretically increases the possible number of server-side vulnerabilities. This argument actually supports my original position. I never said bugs within AJAX were causing the threat envelope problem. I clearly said it is the “use” of AJAX that increases the possible threat envelope.

One final point on AJAX: it is relatively new, and secure programming standards have not yet been fully vetted. As a result, traditional Website vulnerabilities to attacks like XSS (Cross Site Scripting) could start re-appearing in Web 2.0 Websites.

Consider this: the worm that was used to attack MySpace (enabled by AJAX), as well as the worm that was used to attack Yahoo! (also enabled by AJAX), both took advantage of a component of AJAX called XHR to help propagate the worms.

Déjà vu – Are We Building Yet Another Bubble?
Web 2.0 certainly allows us all to innovate on the Internet. Unfortunately, similar to what happened in the early 1990’s Internet boom, businesses and individuals are rushing the deployment of these new Web capabilities and features with little, if any, regard to security.

Hence, we find ourselves in a position now, due in large part to rushed Web 2.0 implementations, that the Internet is a much more dangerous place to be than it has ever been. Web-based e-mail providers, photo-sharing Websites, blogs, Wikis, and social networking sites have all fallen victim to malicious hackers due to their lack of consideration of security in the “new” Web 2.0 world.

Internet Threat Vectors
In their quest to harness the power of the Internet, enterprises began increasing the connectivity of their internal applications to the Web. The threat vector originally involved layer 4 (the network layer) of the OSI model, where inspection is primarily limited to an IP address and port numbers in stateful packet filters. But the threat vector soon shifted to layer 7 (the application layer), where attackers could exploit the vulnerabilities of Internet-connected applications.

Now, for the problem: As the threat vector shifted from layer 4 to layer 7, our defenses simply did not keep pace,

With the change in the threat vector, signatures for known attacks began to find their way into firewall security products. Some stateful packet filter vendors attempted to offer at least some level of application layer attack protection. This protection methodology is often called a Negative Security Model, whereby all traffic is allowed to flow freely and the protective mechanism uses the signature of known attacks layered on top of their Stateful packet filters. This approach attempts to enumerate potentially malicious traffic and to block it only once (and if) it has in fact been identified.

Unfortunately, the Negative Security Model is only reactive in nature. Admittedly, these products are marketed as being proactive because of their ability to automatically block an attack on behalf of the product user. However, a signature for a given attack must first be created before any defense against that particular attack can be afforded. As a result, the use of this methodology in reality is not at all proactive and is at best only a reactive methodology. In today’s environment, where over 6,000 application vulnerabilities are reported annually, vendors are having a difficult time maintaining defensive signatures for these known attacks.

What about all the unknown threats circulating across the Web? A recent study found that the typical vulnerability exists for up to 348 days before public disclosure. Hence the malicious hacker who found the vulnerability could potentially have free rein for nearly a year to exploit a vulnerability before a defensive signature can be created.

The problems don’t end there. In a recent article, IBM warned that there is a colossal difference between the number of vulnerabilities disclosed publicly and the number of vulnerabilities that are discovered and are not publicly reported. IBM has estimated that up to 139,362 vulnerabilities are discovered annually – but not reported publicly.

Remaining Application-Layer Risks with Web 2.0
Clearly, the increased functionality of Web 2.0 Websites along with the relatively new underlying programming languages are creating new threat vectors and revitalizing traditional threat vectors. The most common and “most concerning” threat vectors for Web 2.0 include:

  • Web-borne malware
  • Real-time RSS/Atom Feeds with JavaScript Malware inside
  • XSS Scripting (Cross Site Scripting) – e.g., MySpace Worm
  • CSRF (Cross Site Request Forgeries) – Stealing data in Java space, e.g., Gmail
  • XSS filter bypassing – ENCODING
  • Exponential XSS Attacks – No need to limit to one Website
  • Forging “request headers” using Flash
  • Backdooring Media Files – JavaScript in everything

More Stories By Paul A. Henry

Paul Henry is global information security expert, with more than 20 years' experience managing security initiatives for Global 2000 enterprises and government organizations worldwide. At Secure Computing, he plays a key strategic role in new product development and directions. In his role as vice president of technology evangelism, he also advises and consults on some of the world's most challenging and high-risk information security projects, including the National Banking System in Saudi Arabia, Department of Defense's Satellite Data Project, USA, and both government as well as telecommunications projects through out Japan.

Comments (1) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

Most Recent Comments
Julian 09/19/07 07:23:21 PM EDT

Awesome read - well done...
We recently wrote a blog post that's probably also of interest to readers on this topic. http://julian101.com/archives/88

It talks about Web2.0 and sheds some light on whether we're really at Web2.0 or Web 16.0...

Julian Stone - ProWorkflow.com

@ThingsExpo Stories
From 2013, NTT Communications has been providing cPaaS service, SkyWay. Its customer’s expectations for leveraging WebRTC technology are not only typical real-time communication use cases such as Web conference, remote education, but also IoT use cases such as remote camera monitoring, smart-glass, and robotic. Because of this, NTT Communications has numerous IoT business use-cases that its customers are developing on top of PaaS. WebRTC will lead IoT businesses to be more innovative and address...
Recently, IoT seems emerging as a solution vehicle for data analytics on real-world scenarios from setting a room temperature setting to predicting a component failure of an aircraft. Compared with developing an application or deploying a cloud service, is an IoT solution unique? If so, how? How does a typical IoT solution architecture consist? And what are the essential components and how are they relevant to each other? How does the security play out? What are the best practices in formulating...
In his opening keynote at 20th Cloud Expo, Michael Maximilien, Research Scientist, Architect, and Engineer at IBM, discussed the full potential of the cloud and social data requires artificial intelligence. By mixing Cloud Foundry and the rich set of Watson services, IBM's Bluemix is the best cloud operating system for enterprises today, providing rapid development and deployment of applications that can take advantage of the rich catalog of Watson services to help drive insights from the vast t...
SYS-CON Events announced today that Elastifile will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Elastifile Cloud File System (ECFS) is software-defined data infrastructure designed for seamless and efficient management of dynamic workloads across heterogeneous environments. Elastifile provides the architecture needed to optimize your hybrid cloud environment, by facilitating efficient...
WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, will introduce two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a...
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...
In his session at @ThingsExpo, Arvind Radhakrishnen discussed how IoT offers new business models in banking and financial services organizations with the capability to revolutionize products, payments, channels, business processes and asset management built on strong architectural foundation. The following topics were covered: How IoT stands to impact various business parameters including customer experience, cost and risk management within BFS organizations.
SYS-CON Events announced today that Golden Gate University will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Since 1901, non-profit Golden Gate University (GGU) has been helping adults achieve their professional goals by providing high quality, practice-based undergraduate and graduate educational programs in law, taxation, business and related professions. Many of its courses are taug...
SYS-CON Events announced today that DXWorldExpo has been named “Global Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Digital Transformation is the key issue driving the global enterprise IT business. Digital Transformation is most prominent among Global 2000 enterprises and government institutions.
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
SYS-CON Events announced today that Secure Channels, a cybersecurity firm, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Secure Channels, Inc. offers several products and solutions to its many clients, helping them protect critical data from being compromised and access to computer networks from the unauthorized. The company develops comprehensive data encryption security strategie...
In his session at @ThingsExpo, Sudarshan Krishnamurthi, a Senior Manager, Business Strategy, at Cisco Systems, discussed how IT and operational technology (OT) work together, as opposed to being in separate siloes as once was traditional. Attendees learned how to fully leverage the power of IoT in their organization by bringing the two sides together and bridging the communication gap. He also looked at what good leadership must entail in order to accomplish this, and how IT managers can be the ...
Recently, WebRTC has a lot of eyes from market. The use cases of WebRTC are expanding - video chat, online education, online health care etc. Not only for human-to-human communication, but also IoT use cases such as machine to human use cases can be seen recently. One of the typical use-case is remote camera monitoring. With WebRTC, people can have interoperability and flexibility for deploying monitoring service. However, the benefit of WebRTC for IoT is not only its convenience and interopera...
There is only one world-class Cloud event on earth, and that is Cloud Expo – which returns to Silicon Valley for the 21st Cloud Expo at the Santa Clara Convention Center, October 31 - November 2, 2017. Every Global 2000 enterprise in the world is now integrating cloud computing in some form into its IT development and operations. Midsize and small businesses are also migrating to the cloud in increasing numbers. Companies are each developing their unique mix of cloud technologies and service...
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...
SYS-CON Events announced today that App2Cloud will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. App2Cloud is an online Platform, specializing in migrating legacy applications to any Cloud Providers (AWS, Azure, Google Cloud).
IoT is at the core or many Digital Transformation initiatives with the goal of re-inventing a company's business model. We all agree that collecting relevant IoT data will result in massive amounts of data needing to be stored. However, with the rapid development of IoT devices and ongoing business model transformation, we are not able to predict the volume and growth of IoT data. And with the lack of IoT history, traditional methods of IT and infrastructure planning based on the past do not app...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. Jack Norris reviews best practices to show how companies develop, deploy, and dynamically update these applications and how this data-first...
Intelligent Automation is now one of the key business imperatives for CIOs and CISOs impacting all areas of business today. In his session at 21st Cloud Expo, Brian Boeggeman, VP Alliances & Partnerships at Ayehu, will talk about how business value is created and delivered through intelligent automation to today’s enterprises. The open ecosystem platform approach toward Intelligent Automation that Ayehu delivers to the market is core to enabling the creation of the self-driving enterprise.
Internet-of-Things discussions can end up either going down the consumer gadget rabbit hole or focused on the sort of data logging that industrial manufacturers have been doing forever. However, in fact, companies today are already using IoT data both to optimize their operational technology and to improve the experience of customer interactions in novel ways. In his session at @ThingsExpo, Gordon Haff, Red Hat Technology Evangelist, shared examples from a wide range of industries – including en...