Nothing. At least not from an attacker's perspective. A blog is an individual content management system, requiring storage (either database or flat file) and the ability to write to that storage. Comments allow discussion but also require access to files and or databases. It's an app, and that means it comes with all the baggage today's web applications necessarily come with: vulnerabilities.

Those vulnerabilities are likely to become more visible as more organizations adopt blogging and other Web 2.0 applications in the next two years. Analyst firm Gartner recently highlighted 27 technologies in its 2008 Hype Cycle for Emerging Technologies, and Web 2.0 is among the list of those that will be soon climbing out of the "Trough of Disillusionment" and entering mainstream adoption.

From the press release for Gartner's Hype Cycle

"Although Web 2.0 is now entering the Trough of Disillusionment, it will emerge within two years to have transformational impact, as companies steadily gain more experience and success with both the technologies and the cultural implications," said Jackie Fenn, vice president and Gartner Fellow.

Blogs are, by definition, a part of Web 2.0, as are many other tools that organizations are starting to adopt. Given that the SEC recently announced it would recognize corporate blogs as public disclosure, it's clear that blogs are coming into their own.

But no one writes their own blog software any more than they write their own content management systems. At least no one sane does. But that means relying upon, and trusting, third-party software like WordPress or TypePad. That means you're trusting that the software is free of vulnerabilities and has been developed with secure coding techniques.

It's one thing to insist your developers use secure coding techniques but it's a way different scenario when you're dealing with third-party, Internet facing applications like blogs.  And you may recall that according to Verizon Business' 2008 Data Breach Investigations Report, verizon-attack-pathways34% of breaches occurred through a web application.

If you're going to be using third party web applications that you cannot guarantee are secure (and you can't) then you ought to be taking advantage of a web application firewall. Yes, Fratto, I went there. But this time it's much harder to argue with the logic. You didn't write the software, you can't be certain it's secure, but you need to make sure it's as secure as it can be. A web application firewall can protect third-party applications just as easily as it can custom developed applications, and in many cases it's actually a lot easier.

And even if they are secure today, what about tomorrow? Sure, if a new vulnerability is discovered (and they always are, at an alarming rate) it'll eventually get patched, but in the mean time what are you going to do to secure it? Or will you take it down and lose the following you've built and the trust that goes with it?

Blogs, especially corporate blogs, are the Internet face to an organization. They are likely (one hopes) to be more visible and viewed than the corporate FAQ or product solution pages. But that visibility brings greater risks, especially in the face of a breach. A WAF can minimize the potential of a breach for your blog regardless of whether you or a third-party developed the software that powers it.


Follow me on Twitter View Lori's profile on SlideShare AddThis Feed Button Bookmark and Share