Lucky break for all you Open Sources podcast fans--Matt Asay and I went to the Web 2.0 event Tuesday and instead of podcasting, we shot some video footage using the iSight camera on my Mac and a Flip Video camera. It won't win any videography awards, but it was great sitting next to each other to record this episode.
As I continue to nurse a hand injury, I am happy to say no one was hurt during the filming.
Follow me on Twitter @daveofdoom
Following up on a post about the top Web 2.0 security threats I thought I would take a quick look at what I mentioned as one of the biggest security threats to any company: information leakage.
All the delightful modern collaboration tools we use--blogs, wikis, SaaS applications, etc.--just make it easier for your corporate information to walk out the door. Regardless of the systems or applications your company uses, odds are any piece of data can (and will) be accessed, e-mailed, written down, or just remembered by a large percentage of your staff.
Information Leakage: Web 2.0 applications promote user-generated content and thus blur the line between work and private life. As a result, users may publish as part of their Web presence, information considered sensitive by their employer. Even if users are careful and do not leak information that is by itself sensitive, the aggregation of many small data items may be unacceptable.
Generally speaking, information leakage is nearly impossible to contain, regardless if data is Web 2.0 browser-based or not. Think back to the last time you used a public Web terminal at an event or hotel--I can't remember a time when I couldn't just hit the back button or history tab that at a bare minimum revealed the last users' e-mail address.
So what can you do to protect your business? The truth is that there are few non-draconian methods available to protect your data and ensure that people are using collaborative tools effectively. In this case, prevention is the best medicine.
... Read more
The Secure Enterprise 2.0 Forum has just released its 2009 industry report outlining the top Web 2.0 security threats. These security threats are not so much specific to Web 2.0 companies as much as they are to browser-based applications.
The list of key web 2.0 security threats:
- Cross Site Scripting (XSS): Malicious input is sent by an attacker, stored by a system, and then displayed to other users. Systems that allow users to input formatted content, such as HTML, are more susceptible to XSS and malicious scripts. This type of functionality in which many users can create content viewed by other users is typical to Web 2.0 systems such as social networks, blogs, or wikis, making Web 2.0 applications especially vulnerable to XSS. Web 2.0 applications rely heavily on user-generated input. In order to allow the user great control over the content design, applications often allow HTML tags that are not safe and can be abused for XSS.
- Cross Site Request Forgery/Cross Gadget Request Forgery: The victim visits a malicious Web site. While content is displayed on the victim's browser, the malicious site code generates requests to a different site to which the victim is authorized, for example through a persistent cookie. Such requests can perform operations on behalf of the victim, even across insecure gadgets on the same Web page.
- Phishing: The victim receives by e-mail a request to install a fraudulent widget, or is redirected to a fraudulent Web site in order to fill an online form with sensitive information.
- Information Leakage: Web 2.0 applications promote user-generated content and thus blur the line between work and private life. As a result, users may publish as part of their Web presence, information considered sensitive by their employer. Even if users are careful and do not leak information that is by itself sensitive, the aggregation of many small data items may be unacceptable.
- Injection Flaws: Web 2.0 is vulnerable to new types of injection attacks, including XML injection, XPath injection, JavaScript injection, and JSON (JavaScript Object Notation) injection. In addition, because they rely heavily on client-side code, Web 2.0 applications more often perform some client-side input validation, which an attacker can bypass.
- Information Integrity: Information correctness is one of the key elements of data security. While we usually think about loss of integrity due to a malicious hack, unintentional misinformation also leads to loss of integrity.
- Insufficient Anti-Automation: The programmatic interfaces exposed by Web 2.0 applications enable an attacker to automate attacks. Two examples of automation include brute force attacks and Cross Site Request Forgery. Other examples include automated retrieval of a large amount of information and automatic opening of accounts, for example as part of a phishing attack.
Personally, I think the biggest risk is information leakage. Despite any and all attempts to stop information from walking out the door, there is little that can actually be done. More about that in a future post.
Via ReadWriteWeb
I got a lot of questions about a recent post on "freemium" business models asking what Web 2.0 companies dependent on advertising revenue can do to weather the storm.
The short answer: generate revenue from the service you provide.
To clarify: if your company provides an online service that people use consistently and you are dependent on advertising for all of your revenue, you should figure out a way to directly monetize the user base. That is, charge for something that is perceived to be valuable to the user.
This advice is no different for Web 2.0 than it is for open source. If you are a business, you exist to make money. Adoption is not enough in a down economy. You need to get revenue traction in conjunction.
So, how can Web 2.0 or other ad-driven businesses make money?
... Read moreAs part of some business model research I am doing for a friend, I tried to figure out what model is the most appealing if you have a green field (untapped market opportunity) and you were going to start something from scratch. As an open-source software guy first and a software-as-a-service guy second, I really wanted open source to be the right way to go. And I believe it is for infrastructure software, but not for packaged applications. I still can't figure out how Web 2.0 companies translate into dollars though maybe it's as simple as advertising?
For packaged apps, there is really no reason to go through the hassles of deployment when you have the option to integrate hosted applications with your internal systems.
New-school business model Monetization Scorecard:
Open source: Monetization via subscription, tooling, support and licensing
Open source gives you multiple options to monetize users but you pretty much always are going to compete with free.
Web 2.0: Monetization via advertising and subscription
To be successful you need lots of eyeballs, which is why the Web 2.0 companies make it feel like 1999 all over again. The net positive is that lots of cool new technologies have been figured out that will trickle down as all the Web 2.x companies eventually go out of business while a select few get bought by Yahoo and Google.
Software as a service: Monetization via subscription
Software as a service companies like Salesforce.com seem to have really figured out how to monetize and lock-in users with no reliance on banner ads or complicated explanations of General Public License vs. Commercial. Is it the perfect model? For packaged apps like customer relationship management, or accounting, I have to say this is the right way to go. If you are doing infrastructure, like service-oriented architecture or enterprise content management, the model falls off due to the necessity of connecting internal systems. In this case, hosted apps just become endpoints.
- prev
- 1
- next
