Secure Computing has launched a new service designed to help IT security teams combat the latest Web 2.0 threats to their organisations. The Secure Web 2.0 Anti-Threat (Swat) initiative offers research, best-practice advice and web and messaging technologies.

Swat is partly a response to recent Forrester research that found a sizeable gap between firms' perceptions of Web 2.0 technology and their ability to handle threats.

Around 95 per cent of respondents said they valued the use of Web 2.0 applications like blogs, wikis and content-sharing technology, while a similar number said they were concerned about threats to these technologies. But only five per cent of organisations surveyed said they actually had put in place specific technology to guard against these risks.

"A lot of firms now use Web 2.0 and value these productivity-enhancing tools, but what they're not considering is the type of security they need to put in place," argued Secure's product manager, Mike Smart. "We're trying to help customers to understand that the threats are now more complex and why they're bypassing traditional anti-virus and URL filtering security."

Smart highlighted cross-site scripting attacks (XSS), hacking of RSS feeds and PDFs with malicious code embedded within as some of the examples of Web 2.0 threats that many firms are ill-equipped to deal with.

"We're not saying buy Secure Computing and you'll be protected; it's about process and awareness and understanding the threats and how they work," he explained.

As part of Swat, the firm announced a seven-step guide to better web security that recommends the use of robust management reporting and auditing tools, proactive real-time web and messaging filtering for all domains and security-aware proxies and caches.

Andrew Kellett of analyst firm Butler Group said the announcement shows vendors are taking Web 2.0 threats seriously. "It's about web and filtering solutions and data loss prevention and aligning solutions to ensure that everything is protected when facilities used outside the network connect back in," he added.

Meanwhile, the threat to firms from Web 2.0 vulnerabilities was highlighted recently by a new disclosure of an Ajax super worm that could gather information from existing resources that list XSS-vulnerable web sites.

Posted on the web site of "creative hacker" organisation Gnucitizen, the disclosure details how a new worm could be created that checks in real-time the database of the XSSed site, before attacking vulnerable sites.

Ajax apps are particularly vulnerable because they reside on both the client and the server, meaning more points of potential exposure, according to Pete Simpson, ThreatLab manager at web and messaging security firm Clearswift.

"It's a very efficient propagation technique and [the worm] could be coded to do whatever the criminals want," he added.

Simpson argued that the popularity for all things Web 2.0 is driving up demand for programmers, exposing many who don't have the requisite security skills. "A lot of newcomers are re-using code, and don't really understand [security] – this could be messy for a while," he warned.