Although we are all aware of the inside threat many businesses today face, with Web 2.0 this threat is multiplied because with web services many individuals from different domains have some access to your system. You don’t have to just watch out for someone using common attack vectors, you must also watch out for malicious services being uploaded into a UDDI, as well as watch out for clients which have become web servers/hosts covertly on your network or a trusted partner.

I do disagree about older network experts having problem with the future of web services. Actually, I believe they will have no problem. Those of us who did networking prior to the Internet already faced this style of network interaction and some security concerns. Almost all processing was not done on your terminal, it was done on your central system or a link with another network; similar to where Web 2.0 is headed.

Back in the late 80s early 90s we moved away from this because personal computers were able to handle more and more, and applications were no longer written to be ran centrally.

Now we are coming full circle with an implementation of linking other terminals or desktop hosts with servers on another network. Although the technology has changed (instead of polling through my base network, I can use a browser interface), in reality the base is the same. Now we just need to scale it up a bit, due to the increase in individuals who have an education in networking, and access to our networks.

I do see changes coming in available protocols and languages for use on the Internet. For example, all applications we use now for Web2.0 is free of any mobile code (Ie javascript). PKI even at the lowest level will become a necessity for all data transactions. I wouldn’t be surprised if you will be required to have a personal certificate in the near future to use your credit card for online purchases for many websites.

Web 2.0 does bring us many new security challenges, because we will have to change the way business is handled now, and how we think & operate to ensure its security.

Problem is that its ontologies don’t really fit the requirements of modern web applications so workarounds were build (oh I hate CakePHP sometimes *g*)

The web application is not a desktop application and never will be - and the WebOS is the web itself - including all the problems evolving around it. XSS is not really an issue - and SQLI isn’t either. What should be put in focus is the the design flaws that come packaged with the web itself - beginning with HTTP and ending with application patterns resulting in tools way too powerful so the developers their selves aren’t capable of realizing what monsters the have created. A pretty ‘Oppenheimerish’ situation…