July 06, 2008   Sign In |  About ebizQ |  Contact Us |  Join ebizQ Gold Club
Peter Schooff
Peter Twenty-Four Seven Security
 Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

« Top Tips for Working Securely From Home | Main | Six Must Have Security Tools (and They're Free) »

May 21, 2008
Does SaaS Stand for Software as a Security Lapse?

Found an interesting blog over at ZDNet over some of the security weaknesses showing up on various Web 2.0 applications...in this case it was the Zoho Writer tool, the browser based word processing software, that, when the author wanted to quickly retrieve one of her works on her Zoho page, she did a search (imagine all the tiresome reading we'd have to do without keyword search), and not only did the intended document show up, but so did 7 other documents created by people she didn't know.

Obviously, it's a problem when documents are popping up all wily-nilly when searching someone else's stuff (I mean, what if the document had private data on it). This essentially highlights a growing weakness for Web 2.0 in that, while it's no surprise that many SaaS applications have undiscovered weaknesses and vulnerabilities (which is why applications should be security tested before they're launched onto the web), what is a surprise is that many of these vulnerabilities remain undisclosed.

The author of the piece quickly informated Zoho of the problem, and they quickly fixed it, but when the author then checked to Zoho blog for any mention of the vulnerability, it was never brought up. Now I'm sure anyone whose ever been involved in a small company is well aware that you should never advertise your shortcomings, the problem with Web applications is that unmentioned vulnerabilities can only amplify the problem.

The problem is, this is essentially become standard operating procedure with SaaS applications (as Google and Microsoft routinely fix big bugs without any notification). And as it's their application running on their servers, it's pretty easy to see why they don't think they need to tell anyone. But as someone who is in the role of anyone, I sure would like to know the risks I don't even know I'm taking.

To read the full article from ZDNet, click here.

Posted by pschooff in |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/3440

Comments Post a comment




Remember Me?

(you may use HTML tags for style)

We ask that you type your code (displayed below) in the text box.This code is an image that cannot be read by a machine. It prevents automated programs from submitting comments.


Code:



Most Recent ebizQ Blog Entries
ADVERTISEMENT
Subscribe
News Feed
Recent Posts
Categories
Archives
Blog Roll
Blogosphere
This Work
Accountability:The opinions expressed in this blog are solely representative of the blog's author, and not of ebizQ
Subscribe to our Newsletters
ebizQ Weekly Gold Club Update
Live Webinar Updates
Updates from ebizQ Partners
ebizQ SOA Update
ebizQ BPM Update
ebizQ Security Update
ebizQ BI Update
ebizQ Open Source Software Update
Virtual Show Newsletter
ebizQ Web 2.0 and the Enterprise
Your E-mail Address:
Changing Tires on a Moving Car
Case studies and solutions for governing the continuous evolution of complex SOA systems
Date: Jul 15, 2008
Time: 12:00 PM ET
(16:00 GMT)
REGISTER TODAY!
Roundtable Discussion: MDM's Role as a Critical Enabler for SOA
Date: Jul 16, 2008
Time: 12:00 PM ET
(16:00 GMT)
REGISTER TODAY!
Archived Webinars | Upcoming Webinars

Marketing Solutions | Feedback | About ebizQ | Unsubscribe | Privacy Policy | Site Map

Live Chat