Research Group Offers Free Technical Resources that Untangle Confusion Surrounding Web 2.0 Security Risks

FOSTER CITY, Calif., Mar. 7, 2007 – Imperva®, the global leader in data security and compliance solutions for the data center, today announced that its internationally-recognized security research organization, the Application Defense Center (ADC), is making available two free educational resources designed to help organizations understand and defend against security risks posed by Web 2.0 infrastructures. First the ADC is offering a free Webinar that outlines and demonstrates violations of security best practices introduced by Web 2.0 applications. In addition, the ADC has developed a downloadable technical brief that explains the security vulnerabilities associated with Web 2.0 applications and presents mitigation techniques.

“Web 2.0 technologies such as AJAX, RSS, and client-side JavaScript libraries allow enterprises to build more responsive, immersive and collaborative applications. Although many of the technologies are not new, the threat model for Web 2.0 is not yet fully understood by developers,” said Andrew Jaquith, Senior Analyst at Yankee Group. “Imperva is taking a leadership role by educating organizations about the risks associated with Web 2.0 applications, and by offering mitigation techniques.”

Web 2.0 Risk Landscape

Web 2.0 applications generally include a mix of three characteristics: Rich Interface Applications (RIA), Syndication (RSS, Mashups, etc.), and User participation (social networks, Wikis, blogs). Each category introduces its own set of vulnerabilities and risks, which create a larger attack surface. One common weakness is the shifting of security processing from the web server to the client. This approach is imposed by scripting used to deliver dynamic Web 2.0 content. Client side security checks, however, violate documented best practices for protecting Internet applications. By blurring the distinction between client and server code, Web 2.0 applications increase exposure to session and cookie tampering, SQL Injection, directory traversal, and cross site scripting (XSS) attacks.

Understanding and Mitigating Vulnerabilities

To help IT organizations understand the vulnerabilities introduced by Web 2.0 applications and take appropriate measures to secure their infrastructure, Imperva is hosting a free Webinar on March 14 and offering a companion technical brief entitled Understanding Web 2.0: Technologies, Risks, and Best Practices. The Webinar and brief will cover key Web 2.0 security concepts and remediation strategies, including:

  • Why Web 2.0 frameworks are ideally suited for cross site scripting and script injection attacks
  • Best practice violations: client versus server side security processing
  • Tracking input validation in AJAX
  • Performing state tracking in modular applications

To register for the Webinar please visit www.imperva.com/go/webinar20. To request the companion technical brief, which will be available after the Webinar, visit www.imperva.com/go/tbw20.

“The convergence of web and collaboration technologies that made Web 2.0 applications possible has created an equally disruptive shift in the Internet threat landscape,” said Amichai Shulman, CTO of Imperva and head of the Imperva Application Defense Center. “Organizations that deploy Web 2.0 applications without a clear understanding of the vulnerabilities they introduce are at risk. Our goal is to arm IT professionals with the knowledge they need to secure their Web 2.0 infrastructures.”

About the Imperva Application Defense Center

The Imperva Application Defense Center (ADC) is internationally-recognized for its leadership in security and compliance research and education. The Imperva ADC has found over 20 vulnerabilities in commercial Web application and database products. Database and application vendors have credited the organization with the discovery of serious vulnerabilities and mitigation techniques that have led to increased security in their products.

About SecureSphere

Imperva SecureSphere award-winning products deliver activity monitoring, audit and security for business applications and databases. SecureSphere products offer proven, automated capabilities for achieving, maintaining and documenting regulatory compliance. SecureSphere is the industry’s only complete business-critical data security and compliance solution that provides full visibility into data usage by the end-user, through the application and into the database. Automated feeds from the security and compliance experts at the Imperva Application Defense Center (ADC) ensure that SecureSphere is always armed with the latest defenses against new threats, and the most recent regulatory compliance best practices.

About Imperva

Imperva is the leader in application data security and compliance. Leading enterprise and government organizations worldwide rely on Imperva to prevent data theft and abuse, and ensure data integrity. The company’s SecureSphere products provide data governance and protection solutions that monitor, audit and secure business applications and databases. For more information, visit www.imperva.com

# # #

Imperva and SecureSphere are trademarks of Imperva, Inc. All other brand or product names are trademarks or registered trademarks of their respective holders.

Editorial Contact

Marc Gendron
(781) 237-0341
marc@mqpr.net