Enterprises warned to approach Web 2.0 with caution

Danny Allan of IBM  had just finished his primer on potential security risks of Web 2.0 applications when enterprise software developers filing out were overheard telling each other, “That was scary!” and “Now I’m depressed.”

Allan says he didn’t mean to scare, but to educate. “The lesson is not to run away but to prepare,” said Allan, director of security research at Watchfire, an IBM-owned security firm, and one of the presenters at the AjaxWorld 2007 Conference & Expo in Santa Clara.

He and other experts on writing software using Ajax  stressed that Web 2.0 applications that run on a user’s computer, the client, may run fast, provide useful information and a richer Web experience, but don’t assume that they can be as functional, reliable or, most importantly, secure as applications that reside on a server.

One catch phrase heard as often at AjaxWorld as was “Save the cheerleader” on the first season of “Heroes” was this: “Don’t trust the client.”

Developing enterprise Web 2.0 apps on the Ajax framework is still new and some of the 900 attendees at the conference held Sept. 23-26 aren’t yet ready for it.

“It’s so unsettled,” says Sam Elsamman, CEO of siteMagix, a Web site builder in Florida.

While the Web 2.0 world of YouTube, Wikipedia  and MySpace is familiar to consumers, Web 2.0 in the enterprise is fundamentally different, says Ted Farrell, chief architect and vice president of tools and middleware at Oracle.

Consumer Web 2.0 is about social networking, sharing opinions or writing one’s own content rather than just reading someone else’s, Farrell says. But enterprise Web 2.0 is about collaborating and working more efficiently for the good of the company.

“[Consumer] Web 2.0 is about stickin’ it to the man or user-owned data,” he says. “In the enterprise it’s all about getting your job done better.”

Because Web 2.0 is still evolving, enterprises aren’t sure what technology to bet on. They may have a choice between Microsoft Silverlight or Adobe AIR for creating applications within the Ajax framework.

“If you go with one of those solutions, you had better be right or you’re stuck,” Farrell says. “[Enterprises] need the assurance that they’re not going to be stuck again years from now.”

But a more critical concern is what applications an enterprise will allow on the client and which it must keep on the server, says Robert Brewin, CTO of the software group at Sun.

Take for example, the Ford Motor Web site that lets visitors browse through car and truck models, and “build” their car with options, Brewin says. One feature lets them click on a red square and the picture of the Taurus onscreen changes to red. Click green and the car turns to green.

“Web 2.0 is perfect for that,” he says, because it’s a fairly benign action.

But if a customer wants to actually buy a Taurus and provide personal information online, or a dealer wants to have the factory deliver one, or someone in Ford’s supply chain wants to pay a supplier when parts for that Taurus arrive at the assembly plant, those actions need to be reliable and secure, and that means on the server, not the client, Brewin says.