As government agencies use more applications based on Web
services, new vulnerabilities in those programs threaten to circumvent traditional cybersecurity. Experts say
the safest way to ensure the integrity of such applications is to build security into them.
Tim Grance, manager of systems and network security at the
National Institute of Standards and Technology, said Web services-based applications can render traditional cybersecurity measures, such as firewalls, ineffective. That’s because the new applications transfer information from application to application through intermediary public Web sites rather than internally through an agency’s secure server network.
“That autonomy clashes with our traditional security models,” Grance said. “Perimeters aren’t quite what they were” in the past.
NIST has published a 128-page “Guide to Secure Web Services” that alerts managers to issues they should be aware of when they develop applications. The recommendations for avoiding security breaches include replicating data at physically separate locations, logging all visitors to Web 2.0 sites and encrypting data transferred via Web services applications.
“Perimeters aren’t quite what they were” in the past. Tim Grance, National Institute of Standards
and Technology
However, some experts are concerned that NIST’s guide is too narrow in scope. “Web 2.0 is much bigger than the areas NIST is addressing,” said Bruce McConnell, president at consultant McConnell International.
Web services applications can create security pitfalls that experts might not fully understand, he added. For example, when coders develop programs called mashups, they integrate elements of other Web applications to create capabilities beyond those of the programs’ components. However, because mashups are not well-understood, they could carry new vulnerabilities, McConnell said.
One solution is to build in rather than deploy external measures later. “Technology is starting to be developed with security built in — not as an afterthought — but this practice is not yet as widespread or as deep as it needs to be,” he said.
Web 2.0 pioneer Google tackles security on a daily basis. It is “embedded into the way the company does everything — the way we share data, the way we develop code,” said Rajen Sheth, lead project manager at Google Enterprise.
Furthermore, the company’s developers design their applications knowing that they will fail at some point in their life cycles, Sheth said. Consequently, Google developers always look for the best ways to protect and recover data.
Sheth said it is important for developers to be familiar with various types of cybersecurity threats and attacks. Much of that knowledge can only come from experience, he said, adding that the challenge is passing that knowledge on to others.
