Secure Development Lifecycle and Web 2.0

Hi…

 

I found this nice blog entry https://blogs.msdn.com/sdl/archive/2008/02/28/sdl-and-web-2-0.aspx

Every single word is true. My impression is that most people in this vibrant web 2.0 space still think they live in happy land where no bad people exist.

Even worse: This might be true… in a awkward sense. As long as a hack simply add somebody to your list of flickr friends one can argue “should I really be scared to death now?”. OK, there might be some photos you might not want to share with anybody unknown, the public, the press… there are some remarkable examples in the press right now…

But this is the fundamental problem of Web 2.0: As long as the value of web 2.0 applications is dispensable, web 2.0 stays a toy. That does not mean you cannot become rich and marry on a rented Caribbean island with only 600 of your closest friends from politics and the movies but it will not make its way to the real thing.

Once entering the real thing security is not an option: It is a must have.

Now the second bad thing enters the arena: We are (mis-)using technologies to get the effect we want. I doubt that the engineer (as far as I know somebody at Netscape to the time just before the browser wars) who came up with JavaScript (or should I say ECMAscript?? You choose) as a way to do some scripting on web pages that some years later the amount of Javascript within a Webpage would extend the amount for HTML and even graphics.

The drawback is that were technology is used in a way it was never meant to be used the likelihood of strange effects which can lead to a security breach simply is higher than necessary.

My advice: You might not get rich as much and as soon but having a good paid and secure job might be nice, too. Go into Web 2.0 security…

CU

0xff