Does Web 2.0 need Web Security 2.0?

Abstract for a presentation submitted to RSA 2009. Stay tuned for details as the slides creep closer to completion.

Web 2.0 fueled a growth of web applications focused on collaboration, social networking, user-driven content, and highly interactive UI design. The move towards web sites that acted more like traditional desktop applications introduced new risks to users’ data and exposed more complex vulnerabilities that weren’t necessarily non-existent before Web 2.0, but became more prevalent. This presentation highlights new trends in web vulnerabilities and how those vulnerabilities are becoming increasingly profitable to exploit.

The underlying technologies of Web 2.0, oftened summed up in the term AJAX, as well as HTTP itself still face the same problems that web developers have faced since the web browser was born. Old, well-defined and understood vulnerabilities still crop up in modern web applications. So, even as security looks toward identifying and addressing new types of vulnerabilities it’s important to evaluate how those dusty vulnerabilities still have an impact on web sites. Equally important is the distinction between attacks targeting the web application and attacks that target web browsers, because the browser is becoming more and more central to storing and manipulating personal information.

As web applications evolve in complexity and adopt new technologies, security methodologies and tools must be sure to keep pace. This presentation looks at the current state of web security in order to offer insight into what’s needed for Web Security 2.0 in order for it to stay relevant to the challenges faced by today’s web applications.

[In other words, how well do web scanners deal with "modern" web sites? Do they even need to?]