Web 2.0 – Why the internet got better, why security got worse.

Web 2.0 was recently crowned the one millionth word of the English language.  This is perhaps just one indicator of the impact that Web 2.0 has had on our everyday lives. Why?  In this blog, I’m going to go into what Web 2.0 actually is, some of the underlying technologies and what challenges these bring for security.

What is Web 2.0? Well, what was Web 1.0?

Web 1.0 could be considered static.  Although web pages could be dynamically generated at the server in the Web 1.0 environment, the user experience was somewhat stale. Every piece of information which was requested or delivered to the server, required a complete page refresh.  This was great for delivering pages of documents for research purposes, but not so great for the average Joe to do most of the things we take for granted today, such as online shopping and social networking.  There was a certain sense of restriction with Web 1.0 which lasted for some years.  Most software development decisions ended up being driven towards thick client applications (Usually Java or Microsoft based) as web based technology simply couldn’t provide the capabilities needed.  For a brief moment, hopes were raised by Java applets, which could be delivered through a browser, but due to performance issues and download times, these hopes were ultimately dashed.  The web predominantly remained the archive for research documentation and online static corporate brochures.

Bring on AJAX.

One of the key factors in the rebirth of the the Web was Ajax. Ajax was a term originally coined by Jesse James Garrett.  It’s shorthand for Asynchronous Javascript And XML (AJAX).  What Ajax essentially allowed developers to do, was bring data objects to the client, without requiring a full page refresh. This is done by utilizing a javascript capability called XMLhttprequest. It’s worth noting that other technologies were starting to be used before this, which achieved similar results. The use of hidden inline frames gave some ability to bring data to the client for use.  The hidden frame technique is still in use today and in some circumstances is more appropriate than Ajax (details of this are out of the scope of this blog). By combining, data retrieval, the viral spread of XML as an interchange format and advances in JavaScript’s client side graphical manipulation capabilities, developers soon realised they had something to work with.  It wouldn’t be long before a web client could do everything a thick client could do and more.

This really did revolutionise the way client-server communication could work over the web, and many pioneering companies began to publish application to take advantage of these developments ( e.g. Google, Yahoo, Myspace, etc). Client-server communication would never be the same again.

Did you see that picture on Facebook? Social Networking.

How many people reading this can put up their hand and say, “I’ve never looked at Facebook”? You may not have an account, but have you really never had a peek?

These massive leaps in usability at the browser, made things easier, faster and slick.. everything the average Joe appreciates in technology.  Social networking has exploded. Facebook, Myspace, Bebo, Linkedin (social or business? you decide) and Twitter. At some stage you will have used, seen or heard about one of these sites.  People are now, more than ever, willing to share their pictures, videos, wants, likes, needs and thoughts with the wider world.  This is happening in a way that people never expected.  This promotes an inclusive approach to one’s social life, encouraging sharing.  The Internet is no longer the playground of the techie, it’s for everyone and this can only be an overall positive.

What about web services?

Web services have a wide number of definitions. These have developed alongside Web 2.0, or maybe even as a result of the success.  When pundits ramble about Web 2.0, most focus on the consumer experience. Perhaps web services aren’t really part of Web 2.0? For me, I think they’re integral.  I consider a web service any web based service which can be consumed by either a browser, or another server application.

For years standardised forms of communication between applications was difficult to achieve. Hundreds, perhaps thousands of proprietary protocols were introduced to facilitate communication between applications and application modules.  Several proprietary middlewares also attempted to achieve this.  With the success of Web 2.0, developers started to realise that there was a gigantic interconnected, integrated and globe spanning network of servers that seemed to just work. So, why not use those technologies in enterprise applications.  Hello Web Services!!

Web services essentially sit on a web server.  They listen for http requests and provide data responses to those requests, simple.  There are a couple of schools of thought on what the definition of web services should be. Here, I’ll just tip my hat to them as that’s a whole series of blogs to discuss as a single topic.  If you want to know more, look-up WDSL (Soap based Web services) vs RESTful.  Google search can tell you the rest.

Web services promise a giant leap in standardisation. Different vendors can have their applications talk to each other over the web and web services. E.g. Order entry system talks to inventory management system using SOAP based XMl messages over http requests. We could maybe have half of our apps in “the cloud” and the other half held on-premise talking to each other via web service.

What does this mean for my business, what does it mean for security?

With most things in life, this means potential opportunities and potential threats.  Social networking gives businesses new opportunities to engage with your customers, suppliers and partners in ways which were not possible before.  It’s not just about posting a few brochures any more, you can give your contacts insights into the everyday workings of your companies and products.  Those slow to react to this, will lose ground in the market.  Web services again present new opportunities to improve both technical capabilities and efficiencies. They may deliver on your goals and objectives for modularity, flexibility and scalability in your distributed applications.  The technologies are evolving and so are we. Openness is the order of the day, but it can be difficult to strike the balance between security and disclosure.

Being open here means connecting to the outside world.  This means, unblocking your firewalls. This means, allowing your employees to use social networking. There must be a realisation that social networking is not only a route for procrastination, it’s also a business necessity.  Your employees need to communicate with their contacts in this way.  This also means that your firewall, which previously did a great job of blocking port scanners and dodgy emails, needs to evolve.  If we need to allow a bevy of new web services and web traffic through to the outside world, we also need a way to control and monitor that traffic.

This doesn’t mean that just because it’s there all your employees are taking the opportunity to pump out company secrets, but they do need to be educated about the information they put out there. Linkedin is a great example of this.  You can pretty much look at any company in the world and see who works there, who recently joined, who recently left.  This perhaps is less sensitive than someone posting a Facebook status saying “Just came out of a strategy meeting, decided to do ****** with our product suite”. As you can see, the potential for security breaches just got worse.  Solutions continue to develop to address these new needs, but always remember 80% of the time, it’s about helping the good guys make the right decisions. Only 20% security breaches are malicious.

I’ve not addressed “the cloud” much here, but will be following up with a blog on virtualization and security in the cloud.

For now I’ll leave you with this questions. How has Web 2.0 affect me? and What will Web 3.0 be?