research, security, humor, web security,

Web 2.0 Means “Security the Max Power Way”

Andrew Jaquith Andrew Jaquith Follow Oct 17, 2007 · 1 min read
Share this

Last week my Yankee Group research report “The Web 2.0 Security Train Wreck” went live on the Yankee website, and is available to our customers. Douglas Crockford, a very smart and informed web application expert at Yahoo, who I interviewed for the report, gave it a generally positive review. I sent him a courtesy copy, as is our practice.

However, he also states that I got some things wrong. If you read his critique, he faults me for not pointing out that there’s not much more broken in Web 2.0 that wasn’t already broken. He is right in the sense that the problems are rooted in well-known anti-patterns — notably, ignorance of good security design. That’s true of “1.0” apps too (and, I point this out).

What is different is that the Web 2.0 architectural style makes it easier and faster to hose yourself than ever before due to the fact that JavaScript is pretty much essential for any significant application.

I am reminded of the Simpsons episode where Homer decides to legally change his name to accelerate his career prospects. He settles on the name “Max Power” because it was on his hairdryer. At the dinner table that night, he lectures Bart:

“Boy, if there’s one thing you should know, it’s this. There’s the right way, the wrong way, and the Max Power way.”

“Uh Dad, isn’t that the wrong way?”

“Yeah son, but FASTER.”

From a security design standpoint, “Web 2.0” is the wrong way, but faster.

Andrew Jaquith
Written by Andrew Jaquith Follow
I’m Andrew Jaquith, a Managing Director in financial services. I have worked for JP Morgan Chase and Goldman Sachs. Previously, I was CTO SilverSky, and former analyst with Forrester and Yankee Group. My interests include security and risk, anything data-related, app development, visualization, good writing and spirited discussion.