VULNERABILITIES AND CONTROLS IN A BUSINESS SOCIAL NETWORK - A CASE STUDY OF SECURING WEB 2.0 APPLICATIONS
University of Houston Clear Lake (UNITED STATES)
About this paper:
Appears in:
ICERI2010 Proceedings
Publication year: 2010
Pages: 3965-3972
ISBN: 978-84-614-2439-9
ISSN: 2340-1095
Conference name: 3rd International Conference of Education, Research and Innovation
Dates: 15-17 November, 2010
Location: Madrid, Spain
Abstract:
Over the past decade (since early 2000), the Internet community have witnessed a tremendous shift in the usage of Internet and Web-based applications; the shift can primarily be attributed to the development and deployment of Web 2.0 applications, including social networking websites such as MySpace, Facebook, etc. Web 2.0 applications are characterized by features like user-generated contents, and social interaction and collaboration among users, all of which emphasize harnessing collective intelligence of the user community. These features have been made possible mainly by evolution of exiting tools and technologies (e.g., AJAX) and easy-to-use open development platforms (e.g., MediaWiki).
In addition to end users, corporations have also embraced Web 2.0 technology. Business social networks have been created by major companies to, for example, solicit customers’ ideas about product designs, provide user experiences and feedbacks, and provide internal forums for employees to exchange information. Successful adoption of Web 2.0 has opened new opportunities for promoting businesses and increasing productivity and profits.
The fact that Web 2.0 applications are highly interactive, however, has also made such applications vulnerable to security breaches. A hacker, for example, may steal privacy information from the social networking site, inject incorrect information into the site, or launch Denial of Services (DoS) attacks against the servers that support the services. US legislations such as the Health Insurance Portability and Accountability Act (HIPAA) require a company or organization to protect customers’ privacy information. An organization is required to comply with such regulations. In addition, the success of a social network site depends primarily on the users’ active participation; in order to earn the users’ confidence in the social network site, the corporation or organization must ensure that proper security features be built into the social network site.
In this paper we present our experience of building security into a business social network that provides a Web-based forum for users to collaboratively develop an online information base. Example applications of such social networks include customer service sites, employee discussion forums, and online publishing of supplementary information of textbooks. In the rest of the paper, we first examine the overall characteristics of Web 2.0 applications, using the business social network as an example. The security requirements of the example business social network are then analyzed, considering common threats against social networks, including Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Dynamic Code Obfuscation (DCO), injection flaws, etc. The paper concludes with discussion of security mechanisms and protocols that may be used to build security into Web 2.0 applications. Keywords:
Web 2.0, Security, Web-based Applications.