Vital for web developers to know about security threats - Printable Version +- Webnetics UK Ltd. - Forums (https://www.webneticsuk.com/forum) +-- Forum: News & Announcements (https://www.webneticsuk.com/forum/forumdisplay.php?fid=2) +--- Forum: VWDesigns Blog (https://www.webneticsuk.com/forum/forumdisplay.php?fid=12) +---- Forum: Security (https://www.webneticsuk.com/forum/forumdisplay.php?fid=15) +---- Thread: Vital for web developers to know about security threats (/showthread.php?tid=26) |
Vital for web developers to know about security threats - webnetics - 09-01-08 The popularity of social networking sites seems ever-increasing. in just one year, Facebook has grown by 270 per cent and now boasts over 52 million users worldwide. This zeal for all things interactive has seeped into the online community's consciousness and, as a result, organisations and businesses are clamouring to implement their own Web 2.0 functionality. While such an increase in web traffic is a boon for the industry, it does have its downsides. Interactive sites use open source Ajax coding, which gives malware writers considerably more points of entry than traditional HTML coding. The problem is further exacerbated when web developers don't possess enough security knowledge to deal with new advances in the industry, and unwittingly leave sites — and the end-user — open to attack. So what threats are web developers now facing? As mentioned, Ajax is a key cause of increased security breaches on the web. A traditional web application can be compared to a house with just one front door and no windows, in that it offers only one point of attack. On the other hand, an Ajax application constantly exchanges small amounts of data between the browser and the server, which creates many points of input. The inputs provide more opportunities for attack; as well as the front door, the house has numerous windows, all providing a break-and-entry point. Of course, it's this open source technology that enables the interactive functions on a website to exist, and it would be ridiculous to suggest erasing such functions to retain a secure website. Instead, the security industry must share its knowledge with web developers so that precautions are taken to prevent Ajax-based sites being hijacked. Targeting Web 2.0 sites Web 2.0 technology has exploded so fast that it has been impossible for the IT industry to keep up. Right now, 71 per cent of UK office workers aged 28-29 access Web 2.0 internet sites at least a few times a week, and it's these sites that have gained the most popularity with phishers and hackers. In March 2007, for example, Google's Online Security blog noted that the number of page views generated on phishing sites increased fivefold, with 95 per cent targeting MySpace. Holes in security mean that sites such as MySpace have turned into goldmines: the injection of a simple CSS code into a profile is all it takes to infect the page, so that wherever a user clicks, even on what appears to be a Legitimate link, they're redirected to a phishing page. Many users have the same login credentials for social networking accounts as they do for banks and web-based mail. This creates a domino effect and enables a user's online identity to be fully compromised. If web developers are unaware of how to prevent such security breaches, the web will grow increasingly unsafe and, as a result, the positive aspects of the Web 2.0 revolution will be seriously undermined. One successful hacker — Lithium — has been quoted as saying: "Lazy web developers are the reason I'm still around phishing." However, the blame cannot be laid solely at the door of web developers. On the contrary, it's the training they receive that's a major part of the problem. It seems that the provision of security training varies from course to course, with some teaching very little on the subject at alit Web development courses should teach would-be developers that the key to ensuring consumer confidence in the web is to make a site as invulnerable as possible from its conception. To do this, developers should make sure that all input is sanitised and all points of input are as secure as possible. Up to date advice on security best practice, technical documentation and free, secure source code can be found at the Open Web Application Security Project (owasp.org). Within the next year, it's likely that the IT community will see more incidents of Ajax-borne threats, which should hopefully be enough to developers' awareness of this issue. |