“With recent surveys from McKinsey indicating that almost 75 percent of enterprises plan on increasing their investment in Web 2.0 technologies, it is clear that we need to address the issue now,” said Brian Chess, Fortify Software’s co-founder and Chief Scientist. “Unlike vulnerabilities that are tied to a specific application or operating system, there is no single vendor to which this issue can be reported and resolved. In fact, many rich Web applications don't use any framework at all. As a result, we need to educate software developers about the risk that Web 2.0 brings.”
Fortify contacted a large group of security researchers, enterprises deploying Web 2.0, industry analysts, software developers and framework architects to determine the best course of action. The general consensus was that Fortify needed to inform the industry in a timely fashion while ensuring a fix was available. Fortify’s Web 2.0 Security Advisory was written to explain the issues to the business community as well as help developers fix the problem at the source code level.
“There are some worrying estimates of the percentage of websites with vulnerabilities, so I think it's good for the industry to focus on greater security, particularly in understanding the risks,” said Joe Walker, CEO of Getahead Ltd. and a developer and consultant working on advanced web development techniques like AJAX. “I'm pleased to see that Fortify is spending time to explain the problem and investigate the issues.”
Although Web 2.0 functionality has already seen mainstream use by consumers (e.g. social networking sites like MySpace), enterprises are recognizing the growing value of pushing applications to the Web, and are rapidly deploying frameworks to facilitate quick access to information, improve application performance and encourage collaboration. According to a March 2007 McKinsey survey, the industries most likely to adopt Web 2.0 technologies are retail, high tech, telecommunications, finance and pharmaceuticals.
Security researchers like Jeremiah Grossman have already demonstrated the viability of this new class of vulnerability in specific instances. “New technology often leads to new risks and opens unforeseen avenues of malicious attack. Once understood, developers need to ensure the necessary safeguards are in place when they break new ground,&rdquop; said Grossman, CTO of WhiteHat Security. “Those responsible for the security of Web 2.0 deployments need to take this issue seriously and implement the steps necessary to resolve the issue before the risk results in an incident.”
About Fortify Software, Inc.
Fortify Software products protect companies from the threats posed by security flaws in business-critical software applications. Its software security products—Fortify SCA, Fortify Manager, Fortify Tracer and Fortify Defender—drive down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e-commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by a world-class team of software security experts and partners. More information is available at www.fortifysoftware.com.