EXCLUSIVE INTERVIEW
HP's Michael Sutton: Web 2.0 and the New Wild West

Web 2.0 applications are quickly taking over traditional activities on the Internet. Web sites are becoming interactive as they offer multiple function applications. This, in turn, is creating greater security risks for both consumers and network operators.

One of the biggest concerns is the need for Web 2.0 developers to build their applications with total security in mind from the ground up. Until now, too many developers built software the traditional way with security add-ons at the top of the heap.

"The Web is enhancing at a tremendously active pace today compared to five years ago. Web sites used to be little more than online billboards. Today, they are distributors of complex applications with multiple functions," Michael Sutton, security evangelist for HP (NYSE: HPQ) quality management, told TechNewsWorld.

HP acquired Web application security firm SPI Dynamics in June as part of a business strategy to ramp up Web security for its clients. TechNewsWorld recently met with Sutton to discuss HP's efforts in dealing with the growing threats associated with Web 2.0.

TechNewsWorld: What do you see as the most problematic aspects of the Internet today?

Michael Sutton: There are no more static pages on the Web. Instead, Web sites thrive on user-supplied input. Web applications are now all about mission critical delivery. That makes me very concerned about Web 2.0 security.

TechNewsWorld: Do you see the Internet reaching a growth plateau now that Web 2.0 applications are so popular?

Sutton: It's just the opposite. The Web as we see it today will be much dramatically different in the next two to three years. The use of Ajax on Web sites makes them much more responsive. Its use will increase. We will see current technology such as Flash fade as newer technology gets pushed to developers. Take, for instance, Microsoft's (Nasdaq: MSFT) Silverlight technology.

TechNewsWorld: How does this rapid development impact on security issues?

Sutton: These new programming methods are changing all of the old rules. Now attackers are going after holes in Web sites that are much more accessible with all of the Web 2.0 apps running on them. Many of these security holes had always been there, but nobody used them. Today, we can no longer rely on security by obscurity.

TechNewsWorld: How would you characterize the state of security on the Internet today?

Sutton: There is far too much low-hanging fruit. The Web is really the Wild Wild West of attackers today. This condition is now out of the shadows because security experts can actually show proof of the kinds of attacks coming through these Web 2.0 holes. Now we have much better statistics to demonstrate the kind of attacks being made.

TechNewsWorld: Why are security attempts failing at blocking these threats?

Sutton: We are getting too many emerging attacks that we haven't seen before. We are getting better at locking down programs, but the hackers are getting better at the kinds of attacks they pull off as well. For instance, the two top vulnerabilities are cross-site and SQL injection attacks. Cross-sites happen because browsers can be tricked into accessing embedded data. SQL injection attacks prey on programming language for back-end databases. The attackers can read and overwrite data that they should not be able to access.

TechNewsWorld: How prevalent are these vulnerabilities?

Sutton: Cross-site scripting is so heavily used by hackers that at least 85 percent of all Web sites are vulnerable to attack. Sequel injection attacks victimize 25 percent.

TechNewsWorld: What steps do site developers have to take to reduce these vulnerabilities?

Sutton: Fixes for most Web 2.0 application vulnerabilities are not that difficult. Software developers need controls to limit the types of input allowed through the rules. But we tend not to do this. That's when things slip through the holes.

TechNewsWorld: Why aren't Web app developers more mindful of this security fix?

Sutton: Today, so many people can build a Web application without formal programming training. They use tools that build the programs to run on the Web site. The people doing these builds are not real developers or security experts. We are seeing a huge explosion of vulnerabilities as a result. This is not being done deliberately, of course. It is just that they do not know enough about security.

TechNewsWorld: How can security companies overcome this problem?

Sutton: The industry needs to involve developers and all the players along the way. I am a firm believer in the need to build security software by default. Building in security is like doing an audit. Nobody likes to take those steps, but it is a necessary evil. The skill sets used to be localized for software only. Not anymore. Different skill sets are needed for Web applications.

TechNewsWorld: So how do security companies turn this problem around?

Sutton: Developers cannot just rely on the security team. They get involved way too late in the development process. The developers, quality assurance teams and management all have to be involved. Giving them tools is only one part of the solution. Security is bigger than that.

TechNewsWorld: You are a security tool company. Are you saying that your efforts are not working?

Sutton: We need to educate all players in the process. They do need our automated tools. These tools are getting quite mature. But the tools are not better than seasoned security teams. It is more of a one-two punch process. Web applications are way too complex today. A company can't hire enough humans to find all the security holes in software and Web site architecture. So tools become invaluable.

TechNewsWorld: Is anything else needed to curb security concerns with Web 2.0 applications?

Sutton: Every QA (quality assurance) and developer team member needs a security background. We built security functionality into our tools platform so developers using it are already working with security. This is not an impossible task.