Comments on: The Next Line of Defence: Web2.0! You must read this!

By: HTML/CSS Injections - Primitive Malicious Code (or, What’s the worst that could happen?) « omg.wtf.bbq.

Sat, 05 Jan 2008 06:21:21 +0000

[...] has no idea what malicious code the victim was tricked into executing. Double awesome. The code is in the cloud, [...]

By: pdp

pdp — Tue, 18 Dec 2007 09:45:17 +0000

Shoaib, you are absolutely right. The thing is that GNUCITIZEN research is primary attack oriented. We are mostly interested in the offensive side rather then the defensive side. Though, I will put some defensive techniques with the next post.

thanks for the comment.

By: Shoaib Yousuf

Shoaib Yousuf — Tue, 18 Dec 2007 00:38:58 +0000

pdp,

I always see you are always pointing out upcoming security threats and warning about security threats in Web 2.0. I totally agree with your posts (no doubt) but it will be great if you start telling us what can be done?

Okay, I agree there are security threats and risks but as security professionals and with so many websites telling us that; we already know whatâ€™s going on in WEB 2.0. As your regular user and reader I would like to read your thoughts on how to save defend from WEB 2.0 Security risks and threats in your point of view.

Cheers

Shoaib
Australia

By: rdivilbiss

rdivilbiss — Sat, 15 Dec 2007 03:52:10 +0000

“Do you think that google or appjet have (or must have) a kind of â€œantivirâ€ to scan all services and detect malicious services?”

Sounds like the argument Wall Street made before 1929. ergo the SEC, et. al.

Some responsibility for security certainly rests with the service providers, though I can not specifically say how much. It would however be in the best interests of the service providers to intervene before EU or US regulators decide to get involved legislatively.

By: application.secure

application.secure — Thu, 13 Dec 2007 12:49:35 +0000

yes, you have the same service with “google mashup”…
Do you think that google or appjet have (or must have) a kind of “antivir” to scan all services and detect malicious services?

By: pdp

pdp — Thu, 13 Dec 2007 09:34:16 +0000

Jim, of course, but at some point in time you will have to.

application.secure, the reason why I mentioned appjet.com is because their service allows you to build tiny applications very rapidly. Also the service gives you the ability to connect to stuff. In the past you will need a compromised system in order to launch an attack. Today, all you need is an account with one of these services. This is what makes it scary.

By: application.secure

application.secure — Thu, 13 Dec 2007 08:09:34 +0000

Good stuff… (I saw your presentation about web2.0 at OWASP.) Full agree with you… Input validation is not “the” challenge about security in web2.0… of course, it will continue to be an attention point when developing web 2.0 applications.

As you say, the challenge of 2.0 is more about integration and sharing information and services.

Do never trust external information and services? Is it the golden rule of 2.0?

But(fe) is it not the responsability of service(app) providers like (appjet.com) to deliver trusted services?

By: Jim Manico

Jim Manico — Thu, 13 Dec 2007 05:12:48 +0000

I will not shoot my critical data up into the cloud until I can encrypt and project my data no matter where it is with I having the only key.

By: shmel

shmel — Wed, 12 Dec 2007 18:30:32 +0000

Funny toy, indeed. Poor my vacation…
http://foreva.appjet.com/

By: AJAX coding school » Blog Archive » AJAX Examples [2007-12-12 16:40:43]

Wed, 12 Dec 2007 16:57:46 +0000

[...] The Next Line of Defence: Web2.0! You must read this! By pdp However, with the introduction of AJAX and other client-side technologies, we start to see more of the hybrid type: both servers and clients are seamlessly glued together to produce the desired effect. Why is this interesting? … GNUCITIZEN - http://www.gnucitizen.org [...]