Web 2.0 can’t be protected by Web 1.0 Security Models when Attackers are at Attacker 3.0…
Gunnar Peterson (1 Raindrop blog) continues to highlight the issues of implementing security models which are not keeping pace with the technology they are deployed to protect. Notice I didn’t say "designed" to protect.
Specifically, in his latest entry titled "Understand Web 2.0 Security Issues – As Easy as 2, 1, 3" he articulates (once again) the folly of the security problem that we cannot solve because we simply refuse to learn from our mistakes and proactively address security before it becomes a problem:
"So let’s do the math, we have rich Web 2.0 and its rich UI and lots
of disparate data and links, we are protecting these brand new
2007-built apps with a Web 1.0 security model that was invented in
1995. This would not be a bad thing at all if the attacker community
had learned nothing in the last 12 years, alas they have already
upgraded to attacker 3.0, and so can use Web 2.0 to both attack and distribute attacks.2.0 functionality, 1.0 security, 3.0 attackers. this cannot stand."
A-Friggin’-Men. Problem is, unless we reboot the entire human race (or at least developers and security folk) it’s going to take a severe meltdown to initiate change.
Oh, and BTW, just because it bugged me when Thomas Ptacek bawked while asking what I meant in a presentation of mine where I said:
"What happens when we hit Web3.0 and we’re still only at
Security 2.4beta11?"
…and he asked:
What does this even mean?
…the answer is simple: Please see Gunnar’s post above. It’s written much better, but i trust this is all cleared up now?
Recent Comments