Pete Simpson, Clearswift Corporation: Web developers in a Web 2.0 World
March 2008 by Pete Simpson, ThreatLab Manager, Clearswift Corporation
Recent reports that web developer pay has risen by 26 per cent in the past year should come as no surprise; after all, the popularity of social networking sites seems ever-increasing. In just one year, Facebook has grown by 270 per cent and now boasts over 52 million users worldwide. This zeal for all things interactive has seeped into the online community’s consciousness and as a result, organisations and businesses are clamouring to implement their own Web 2.0 functionality.
Yet while such an increase in web traffic is a boon for the industry, it does have its downsides. Interactive sites use open source Ajax coding, which gives malware writers many more points of entry than with traditional HTML coding. The problem is further exacerbated when web developers do not have adequate security knowledge to deal with new advances in the industry and so unwittingly leave sites and, as a result, the end user open to attack.
So what threats are web developers now facing? As mentioned, Ajax is a key cause of increased security breaches on the web. A traditional web application can be compared to a house with just one front door and no windows, in that it offers only one point of attack. On the other hand, an Ajax application constantly exchanges small amounts of data between the browser and the server, which create many points of input. The inputs provide more opportunities for attack - it is as though as well as the front door, the house has numerous windows - all providing a point of break and entry. Of course, it is this open source technology that allows the interactive functions on a website to exist and it would be ridiculous to suggest erasing such functions to retain a secure website. Instead, the security industry must share its knowledge with web developers so that precautions are taken to prevent Ajax-based sites being hijacked.
A key issue is that Web 2.0 technology has exploded so fast it has been hard for the IT industry to keep up. Seventy-one per cent of UK office workers aged 18-29 access Web 2.0 Internet sites at least a few times a week and it is these sites that have gained popularity with phishers and hackers. In March 2007, Google’s Online Security blog noted that the number of page views generated on phishing sites increased five-fold, with 95 per cent targeting MySpace. Holes in security mean that sites like MySpace have become goldmines - the injection of a simple CSS code into a profile is all it takes to infect the page so that wherever a user clicks, even on what appears to be a legitimate link, they are redirected to a phishing page. Many users have the same login credentials for social networking accounts as for banks and web-based mail, allowing for a domino effect with a user’s online identity being fully compromised. If web developers are unaware of how to prevent such security breaches, the web will grow increasingly unsafe and as a result the positive aspects of the Web 2.0 revolution will be undermined.
One successful hacker named ‘Lithium’ has been quoted as saying: “Lazy web developers are the reason I’m still around phishing”. However, the blame cannot be laid solely at the door of web developers. On the contrary, it is the training they receive which is part of the problem - it seems the provision of security training varies from course to course, with some teaching very little on the subject at all. Web development courses should teach would-be developers that the key to ensuring consumer confidence in the web is to make a site as invulnerable as possible from its conception. To do this developers should ensure all input is sanitised and all points of input are as secure as possible. Up-to-date best security practice advice, technical documentation and free, secure source code can be found at the Open Web Application Security Project (owasp.org).
Within the next year it is likely the IT community will see more incidents of Ajax-borne threats, which should hopefully be enough to raise developers’ awareness of this issue. For most web developers, all they need to know initially to produce safe, secure websites can be taught in two days, but after this it is up to the developers themselves to keep tabs on the latest security threats and developments.