Justice, Commerce warn of Web 2.0'and 3.0'security risks

GCN Lab TV at FOSE 2008 The GCN Lab guys take their testing on the road to the FOSE trade show in downtown Washington DC. Come check out all the great products from the show that may soon be installed at your federal agency. Watch them here.

Defense-in-depth protection for agency Web sites is the recommendation from Justice and Commerce department representatives who spoke during the FOSE 2008 Conference and Exposition about the dangers of targeted attacks.

'[The] Web is a collaboration method, but the benefits of collaboration will not be realized unless that collaboration is done securely,' said Michael Castagna, Commerce's chief information security officer.

'We must understand the promise and peril of technology,' he added. 'Criminal syndicates are targeting intellectual assets such as credit card data and personal information and then are selling that information.'

Castagna also spoke about Web 2.0 risks. He described the three components of Web 2.0 as service-oriented architecture, application program interfaces, and rich Internet applications that use technologies such as Flash, Really Simple Syndication, and Asynchronous JavaScript and Extensible Markup Language.

Web 2.0 is about the user experience, with an emphasis on user-contributed content. In Web 2.0, the Web has become the application, but in Web 3.0, the Web becomes a database. Castagna asserted that although Web 2.0 presents its own security risks, he is also looking ahead to Web 3.0 and the risks it might present. 'Web 3.0 will consist of a database of machine-to-machine content,' he said. 'Search moves from contextual to semantic where it is interactive and powerful and must be secured.'

Mischel Kwon, deputy director of IT security at Justice, spoke about the danger of the relatively new IFrame attacks.

An IFrame (short for inline frame) is an HTML element that makes it possible to embed another HTML source inside the main document. In an IFrame attack, malicious code is injected into Web pages that redirect visitors to third-party malware sites.

Despite the persistence of such attacks, Kwon acknowledged the power of Web applications. 'To be effectively used, Web applications require ease of access, connectivity to other applications and rich functionality,' she said. 'The last thing you want to do is inhibit it via security. You must balance security with mission necessity and do risk analysis to decide what risks we are willing to take to allow that rich functionality.'

About the Author

Dan Campbell is a freelance writer with Government Computer News and the president of Millennia Systems Inc.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group