Tuesday, July 29, 2008

What does security mean for web 2.0?

Clearly there is no widely accepted view of what security means in the Web 2.0 software development era. We’re still trying to figure things out and convince ourselves that we have the right answer. Or that someone does.

This is taken from a survey of web application security professionals. It's not a terribly scientific survey by any means, but I think it's interesting reading despite vague questions and a somewhat undefined audience.

The above quote really sums up what I got out of the article: that no one's really sure what web security means. The addendum to that is that people seem to feel that more is needed, but there is general skepticism about the existing tools (see the section in there about web application firewalls, for example, where 54% of respondents said they were skeptical, although open-minded, or the question above on web application vulnerability scanners).

The survey mirrors the sorts of impressions I've been getting from people I talk to both locally and at conferences, so if you're curious about what people think of web security, I think it's worth checking out the pretty graphs given in that survey as well as the author's commentary.