Lijit Search
 
I only post when I have something worthwhile to say, so it might be easiest to subscribe so that you automatically receive any new content.

Email RSS Twitter ESP

This is my personal blog and anything I write here in no way reflects the opinion of Cisco Systems, my employer. If it does, it is only by pure coincidence :) Nothing here constitutes investment advice either, so you can't sue me.

More about me here

View Jason Kolb's profile on LinkedIn

Popular Tags Recent Archives

    License

    • Creative Commons License

    Fun Stuff

    • The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions. NO MATERIAL HERE CONSTITUTES INVESTMENT ADVICE. The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are solely your responsibility.
    		  
    Big Egos at 37Signals Google Box now searches Oracle, Salesforce.com and Cognos

    Web 2.0 Security

    I think one of the topics that's really going to be hot in the 2nd half of 2006 is Web 2.0 security. Before these apps can ever live in the enterprise, there are going to be a lot of hard questions asked about how hardened these apps are and if they're really secure.

    For example, are they using anything besides SSL to encrypt user passwords and senstive information? Do the AJAX calls back to the server permit people to sniff and decrypt tokens that can be used to glean private customer information? Are the AJAX and HTTP calls subject to SQL injection attacks? Are the passwords stored in the database or are they using salted password derivatives? Are they using WSE for their Web services calls?

    Big companies will and do ask these questions. Before the Web 2.0 apps can graduate from use only in mom & pop shops, they'll need to answer them.

    The problem is, it's too easy to build cool applications now without a knowledge of proper software architecture. I know. I've been burned by these very questions in the past, and they're not easy to answer if you've never answered them before. The very fact that the ASP-model applications *don't* provide answers to these questions tells me they're not prepared to answer them, and are probably hoping that they don't ever get asked. Ostrich Syndrome - head in the sand.

    I think there's a really big opportunity here for somebody to start a company that certifies software companies for best security practices. It should be pretty easy to compile an audit checklist that somebody can use to check their software against. In fact I might very well start one.

    If this doesn't happen, once hackers catch on to AJAX techniques this industry is going to shoot itself in the foot (or maybe more relevant, the womb?) It'll never gain traction because CEO, CTO's and CIO's of big companies will be so scared by stories of Web 2.0 applications being compromised that they won't touch them with a 10-foot pole. Remember, these guys could do hard jail time if their customer's information is compromised as a result of Sarbanes-Oxley. Something to keep in mind, all you Basecamps out there.

    April 19, 2006 |

    Big Egos at 37Signals Google Box now searches Oracle, Salesforce.com and Cognos

    TrackBack URL for this entry:
    http://www.typepad.com/services/trackback/6a00d834517df069e200d83427fa6353ef

    Trackbacks to Web 2.0 Security:

  • Web 2.0 and AJAX Security Vulnerabilities from JasonKolb.com
    Ajaxian has a post about some sessions at the Black Hat USA 2006 conference. I'm quite honestly surprised that this is just gaining some press now, I've figured it would happen sooner than it has (but that's typical for me [Read More]

    Tracked on Aug 3, 2006 2:19:53 PM

    • Comments