Web 2.0 presents no new security challenges, is just marketing hype

Secure Computing's Scott Montgomery says Web 2.0 security is marketing hype, application flaws come from overworked programmers and Australia is doing better at cyber-security than the USA and Europe.

A Senior Technologist from Secure Computing says that Web 2.0 presents no new security challenges and is being used to market products.

"Web 2.0 is a new marketing Frisbee," said Scott Montgomery, an advisor to a number of US security consultancies and Secure Computing's representative to standards groups such as the Cyber Security Industry Alliance. "It has not changed a thing."

"The attackers are seeking command and control," he says, which is not a change from traditional hacker activity.

"The reason the browser is becoming the battleground is that it is where the action is taking place," he says. But Web 2.0 applications do not themselves represent any greater risk than other, previous, application architectures.

"My point is that some of the old standards do not change," he told searchsecurity.com.au. "Sloppy application programming that creates unbounded conditions whereby outsiders can control of the TCP stack is still bad."

Sloppy programming, however, may be more common due to commercial pressures to develop new web applications.

"I feel for application developers," Montgomery says. "If you are a web application programmer you have to be aware of and provide remediation for so many things," citing this diagram

"People are quick to say that web application developers are sloppy coders, but they are under pressure to create software quickly and then we act shocked when there are flaws."

Montgomery believes that training developers, rather than buying more tools, can address the problem

"We do not make the tools we have work properly," he says. "We simply spend on new gadgets and tools. But buying new stuff never solves the problem."

"I say if you have budget to spend, arm your people with the skills they need. You do not have dumb people, you have overworked people."

National security

Montgomery also said that, in his opinion, Australian authorities are more advanced in developing national cyber-security response compared to their US counterparts.

"Pound for pound, Australia's technical practitioners are more skilled than their US counterparts," he says, although that skill is compromised by "politicking and infighting."

These turf wars are, happily, less common and less vicious here than in other nations.

"At the end of the day they [Australia's security agencies] are fighting for a common goal. In Europe and the USA they spit on each other."

Read more on Web application security