Web 2.0: The Concerns

So you as an enterprise or a consumer have decided Web 2.0 is the best of the best. Just wait one minute. Concerns about security were prevalent throughout Web 1.0, right, oh wait, they still are in a Web 2.0 world. People are worried about the three tenants of security: Confidentiality, Integrity, and Availability. (Conveniently the acronym is CIA). Lets take each one of these in stride:

Confidentaility: From wikipedia "Confidentiality has been defined by the International Organization for Standardization (ISO) as "ensuring that information is accessible only to those authorized to have access" and is one of the cornerstones of Information security. Confidentiality is one of the design goals for many cryptosystems, made possible in practice by the techniques of modern cryptography."

This is great and all, but what about a cornerstone of Web 2.0 being the openness of data. Well have I got some great resources for you:

The rest security manager (link) First, the security policy is applied by a proxy, not be the security manager, which makes sense. Second, in order to integrate transparently into a web architecture, the security proxy MUST make its policy decisions solely on the basis of the REST verb (POST, PUT, DELETE, GET, etc.), the URI, and the user, e.g., as authenticated with HTTP.

Integrity: From wikipedia Data integrity is a term used in computer science and telecommunications that can mean ensuring data is "whole" or complete, that the condition in which data is identically maintained during any operation, (such as transfer, storage, and retrieval), that the preservation of data for its intended use, or, relative to specified operations, the a priori expectation of data quality. Put simply, data integrity is the assurance that data is consistent, correct, and accessible.

People have found attacks based on this principle to be very disconcerting. Enterprises and businesses today are not build on their business model, but rather, their data. Amazons customer list is a lot more important to them than the idea of E-Commerce. The product catalog has value along with the comments, ratings, etc... not a drop shipment. At all costs companies must protects their data in a Web 2.0 world. With enterprises we must validate and put audit trails behind the scenes of our Web 2.0 applications. Lets us not forget the mistakes we made with Web 2.0 when we come into the new world.

Checkout HDIV (link) - We can briefly define HDIV as a Java Web Application Security Framework. HDIV extends web applications’ behaviour by adding Security functionalities, maintaining the API and the framework specification. This implies that we can use HDIV in applications developed in Struts 1.x, Struts 2.x, Spring MVC and JSTL in a transparent way to the programmer and without adding any complexity to the application development. It is possible to use HDIV in applications that don’t use Struts 1.x, Struts 2.x, Spring MVC or JSTL, but in this case it is necessary to modify the application (JSP pages). It grants us confidentiality, integrity, and data validation.

Availability: From wikipedia "The degree to which a system, subsystem, or equipment is operable and in a committable state at the start of a mission, when the mission is called for at an unknown, i.e., a random, time. Simply put, availability is the proportion of time a system is in a functioning condition."

When we move to an on demand world, we are faced with forcing users to use online applications. However, if the applications are not available, we loose productivity. Skype lost 2 days of service and it was a "black eye" in their business. How can you be trusted, used, and seen as legitimate if you aren't on demand. People have a desire for what they want when they want it. The day you become unavailable is the day you become unnecessary.

For this NexaWeb has created the Internet Messaging Bus (link). This can easily be recreated through little effort by most java developers, but provides a great software architecture. The IMB provides Nexaweb-enabled applications with richly-featured communications capabilities which few development platforms offer. It provides a built-in communications layer, which transparently handles most aspects of client-server messaging. The features of the IMB make it possible for developers to build multi-tier applications without having to create protocols, encode and decode messages, understand network topology, or immerse themselves in the communications and networking intricacies which client/server programming have traditionally required. The IMB uses industry standard technologies, HTTP and HTTPS, for its communications protocols. Nexaweb has done a lot of work to ensure that messaging is bidirectional, that it passes through firewalls and proxy servers, and that it can tunnel through security mechanisms such as SSL. The IMB extends the request/response model familiar from HTTP requests sent and received by browsers, so that it is not just client to server, but anywhere to anywhere — client to server, server to client, even client to client.

Secondly, I would recommend checking out O'Reilly's great article on load balancing web applications.

I hope through this you have learned a few techniques to increase security in a Web 2.0 world through the mistakes that we have learned in a web 1.0 environment. It is critical that we learn from our mistakes and make sure that we bring this web into the enterprise with thorough understanding of how to protect ourselves.

As always, if you have any questions, let me know.

John