Protecting Federal Government from Web 2.0 Application Security Risks
The Federal Information Security Management Act (FISMA) of 2002 serves as the core driver for information security practices within the federal government. The security goals of FISMA are to protect the confidentiality, integrity and availability (C.I.A.) of information being processed, stored or transmitted by government information systems. It is interesting to note that many of the security risks posed by application security threats (such as malicious scripts uploaded to a government server by one user being downloaded and executed by another user) are beyond the scope of the FISMA goals since such actions do not directly compromise the C.I.A. of information handled by a government information system. Yet, such vulnerabilities may directly impact the “reliability” and “safety” of government information systems.
This presentation will focus on the application security challenges in embracing Web 2.0 within the federal government, both from client (i.e., running Web 2.0 clients that connect to a non-federal Web 2.0 service) and server (i.e., hosting a Web 2.0 service within the federal environment) perspectives. We will then discuss whether and how the current set of FISMA security controls (as described in the NIST Special Publication 800-53 Revision 3) are effective in addressing or mitigating the Web 2.0 threats. Finally, we will provide specific approaches to strengthening the security management and implementation techniques used within the federal government to allow the judicious adoption of selected Web 2.0 technologies within the federal IT infrastructure.
Speaker bio will be posted shortly.