Protecting Federal Government from Web 2.0 Application Security Risks

The presentation
Social Media and Web 2.0 technologies - such as blogs, podcasts, web chat, Facebook, Twitter, RSS feeds and wikis – offer a variety of mechanisms that integrate technology, social interaction, and dynamic content creation. They offer a rich set of facilities for users to interact with one another and with remote servers to facilitate content generation, sharing and distribution. Understandably, US federal government organizations are eager to harness the power of Web 2.0 technologies to further their mission and business objectives. However, there is a vast set of security challenges in integrating Web 2.0 technologies into the current federal government IT infrastructure. Most of the security challenges related to the use of Web 2.0 technologies revolve around application security vulnerabilities. For example, most of the OWASP Top 10 security risks are inherent in the use of Web 2.0 technologies.

The Federal Information Security Management Act (FISMA) of 2002 serves as the core driver for information security practices within the federal government. The security goals of FISMA are to protect the confidentiality, integrity and availability (C.I.A.) of information being processed, stored or transmitted by government information systems. It is interesting to note that many of the security risks posed by application security threats (such as malicious scripts uploaded to a government server by one user being downloaded and executed by another user) are beyond the scope of the FISMA goals since such actions do not directly compromise the C.I.A. of information handled by a government information system. Yet, such vulnerabilities may directly impact the “reliability” and “safety” of government information systems.

This presentation will focus on the application security challenges in embracing Web 2.0 within the federal government, both from client (i.e., running Web 2.0 clients that connect to a non-federal Web 2.0 service) and server (i.e., hosting a Web 2.0 service within the federal environment) perspectives. We will then discuss whether and how the current set of FISMA security controls (as described in the NIST Special Publication 800-53 Revision 3) are effective in addressing or mitigating the Web 2.0 threats. Finally, we will provide specific approaches to strengthening the security management and implementation techniques used within the federal government to allow the judicious adoption of selected Web 2.0 technologies within the federal IT infrastructure.

The speaker
Speaker bio will be posted shortly.