We at SAGE are excited about all of the advances in web technologies.  Between Outlook Web Access, LegalKey's Attorney Desktop , Google Maps and GMail, we all know that today's web is nearly a replacement for desktop applications.  That realization will shape much of the thinking we do for future software and hardware deployments. 

So that's the good news.  The bad news is that the more sophisticated the web gets, the less we know about how secure it really is.  In the early days of the web, the technology was so simple, that there were very few security implications - it was a "READ ONLY" web.  Today, not only can websites allow you to read and write data (thanks in large part to the AJAX revolution), but they can do so without you knowing it.  Hackers picked up on this pretty quickly and there are now many Cross Site Scripting (XSS) attacks that plague unsophisticated web developers.  The biggest problem with XSS is that there is nothing you can do to prevent the problem, since the problems the hackers are exploiting are actually the very features in web that make it so useful today.

What should you do as an individual?  The web is here to stay.  You cannot avoid it: clients require it, coworkers prefer it and, chances are, you have too much invested already (family photos on line, personal email, etc).  So the best advice is to always visit reputable web sites that take security to heart, such as Google, Yahoo and Microsoft.  Those companies have headed the hackers off at the pass and have all but eliminated XSS vulnerabilities in their products.

What should you do as an IT Professional?  Ask your web-based vendors what their web security strategy is and what measures they have against XSS attacks. They should be happy to share with you the details of their approach.