NIST Guide Provides Blueprint to Safer Web 2.0

October 30, 2007 // Published as a news service by IHS

Many web-based services allow computer programs to talk to each other and exchange user data across several web sites without human intervention.

Many of the attractive features of this Web 2.0, including greater access to information and one-stop transactions that process information from several web sites, are at odds with traditional ways of maintaining computer security.

According to NIST, the security challenges presented by the web services approach are formidable and unavoidable. Difficult and unsolved problems exist, including maintaining confidentiality and integrity in data that is transmitted via intermediary web sites.

Firewalls, which often protect single computers or networks from certain types of attack, are often inadequate to safeguard web services data traveling between web sites.

The publication recommends several steps to make web services more secure, including a measure for content providers to replicate their data and services at backup sites.

Experts said this would improve the availability of their services in the event of denial of service (DoS) attacks intended to shut down a target web site.

Another recommendation is better and more uniform logging of visitors and actions on web sites. The publication also outlines several existing security techniques for making web services more secure, such as adding encryption to data transmitted through eXtensible Markup Language (XML), a protocol that allows the sharing and manipulation of data across different computer platforms.

The free NIST publication is available at http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf.

Source: National Institute of Standards and Technology (NIST).