As websites are getting to be treated more like applications, users, both end-users and especially business ones, are moving from traditional old-school desktop applications (remember when “client-server” architecture was the thing?) to Software as a Service (SaaS), in-the-cloud, and just plain web applications. Security has been shifting from securing the local operating system to securing the web channel.
This has been backed by the clear shift from email being the number one carrier of all things bad, to the web being the most prominent and efficient channel for cyber attacks. This shift – both the usability one, as well as the security one, brought in a lot of improvement in what we use to browse the internet today – our browsers. With the recent release of Firefox version 3, Google’s release of Chrome, and the upcoming Internet Explorer 8, browser makers are showing great improvements in both usability as well as security.
Nevertheless, the picture isn’t that pretty on the security front after all. Both Mozilla and Google are facing some major vulnerabilities that have been disclosed shortly after releasing the browsers. IE8 is lurking on the sidelines trying to make sure its release will go hopefully uneventful (on the security side of course). History and reality are proving that as long as the web will keep providing such usability, we will still have to come up with more than just new versions of browsers, but with more elaborate ways to secure the web. Issues such as authorization, authentication, permissions, cross-site relationships, mashup data sharing (and these are just scraping the surface) – will have to be approached from a higher level, taking into account infrastructures, open protocols and APIs to be used across applications. Merely focusing on securing the endpoint (or now almost literally “window”) to the application is not enough, as corporations would have to deal with the actual essence of the data and applications handling it.
Don’t get me wrong – I highly appreciate the advancements that Chrome, FF3 and IE8 are making (and proud to be using all of them almost equally throughout the day), but let’s just remember not to keep living in a “whack-a-mole” security state of mind, and make sure we look at the whole picture.