10 Ways to Improve Web 2.0 Security

Updated: April 30, 2009

Web 2.0 promises many things, including innovative applications, imaginative data mashups , cost savings and reduced infrastructure overhead. But Web 2.0 also delivers something far less appealing: new security threats .

Protecting Web 2.0 services — and users — from online attacks should be the goal of any business that takes advantage of next-generation Web technologies. Here are 10 relatively painless steps any company can take to enhance its Web 2.0 security:

1. Educate your work force. Employees, particularly IT staffers, need to be aware of the threats posed by Web 2.0. Employee manuals, posters, newsletters, Web sites, interactive games and other media can all help spread the word and keep everyone safe from Web 2.0 predators.

2. Keep your computers up-to-date. Be sure to activate Microsoft Windows Update , Mac OS updates and updates for IM (instant messaging) programs, VoIP and other Web 2.0 applications. This is one of the simplest ways of keeping Web 2.0 vulnerabilities and online criminals at bay.

3. Install defenses. Consider deploying content-monitoring and filtering technology, URL filters, application controls and other tools that can block Web 2.0 threats. On the human side, establish an acceptable-use policy for Web 2.0 technology use and a blog oversight committee to manage blog threats. You should also determine how to deal with intellectual-property rights, trade secrets and other legal issues that arise with the use of Web 2.0 applications.

4. Weigh risks against benefits. It's easy to forbid employees from using Web 2.0 technologies, such as IM and social networks . But before doing so, determine the potential business benefits. You may be surprised to discover just how much Web 2.0 is already helping your business.

5. Check for Web-application vulnerabilities. Businesses that create their own Web 2.0 applications, links and tools often slap things together in a rush. Encourage developers to make intelligent design decisions and to examine their work for potential attacker loopholes.

6. Ban the use of sample code. Web 2.0 developers, pressed to create workable applications as quickly as possible, often resort to sample code as a ready-to-use solution for a specific programming challenge. The problem is that shared code can contain security weaknesses that may go unrecognized by the developer since he or she wasn't involved in its design.

7. Base security logic on the server. Many Web-based applications off-load security onto the client in order to boost loading and execution speeds. The problem with this approach is that attackers are left free to bypass the client with their own software and directly attack the unprotected server . Given the dire consequences that can result from such a scenario, it's better to be safe than fast — keep security on the server.

8. Think like an attacker. Businesses that develop or modify Web 2.0 applications need to think like attackers . This means studying the latest attack methodologies and approaches other businesses are using to keep their Web 2.0 applications secure.

9. Stay on top of threats. Web 2.0 vulnerabilities are discovered frequently, so it's important stay updated on the most recent findings. You can't count on Web 2.0 vendors and service providers to alert you to problems — you must be proactive. This means regularly checking applications and tools for weaknesses and studying the bulletins issued by major security vendors .

10. Run security audits. A security audit is always a good idea, but this task becomes even more critical as Web 2.0 applications pile up, creating new and often hidden vulnerabilities.

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more