(continued from previous page)
(continued from previous page)
One benefit of Web applications is that patching is much easier than traditional PC or server applications. Fixes don't need to be tested on multiple versions of an operating system, as Google knows exactly what its infrastructure is.
The security process has been in place since Google's early days as a search company, Merrill said. Priorities didn't change much as the company grew to be a provider of many other services, including e-mail, calendaring, advertising, online payments and Google Maps, one of the first Web applications to showcase the benefits of Ajax development techniques to a broad audience when it was launched in 2005.
"It has been built into our code from early on, mostly because we realize that users' search data is extremely private to them." Merrill said. "Security has been in our DNA from the start, particularly once we started doing the advertising work and had advertisers' credit cards and other important data."
Google has multiple processes to lock down its products. All developers are taught Google's coding style, which includes many security principles. All code is reviewed by another developer and run through a scrubbing tool, aptly called "Lemon," before it is submitted in final form.
Particularly sensitive code, such as for billing applications, is created with extra care and then reused. A developer won't write new billing code for a new application.
Even so, much of the Google security team's time is still spent dealing with bugs in applications--and it relies on the Web at large to help hunt them down. When flaws are discovered, Google has a system in place for outside bug hunters to report them.
Google is the only big Web player that has a special page that acknowledges security researchers for reporting vulnerabilities. Bugs that are found get fixed; if the problem is of a new type, it is added to Lemon to prevent it in the future.
"We're going to find them all, but it is going to be awhile. Until we find them all, new bugs will happen," Merrill said. "As long as we all work together, we can manage the damage done by these bugs."
Day 1: Inventing the wheel
Leading the charge in Web security at Google, vice president of engineering stands at the forefront of a critical period.
Day 2: It pays to be paranoid
All Yahoo employees are encouraged to be at least a little paranoid. Meet the man who was the first to put it in a job title.
Day 3: Lessons from the desktop
While similar rules apply to Web security, the differences are crucial and the stakes are high, says Microsoft senior security director.
Day 4: Web security challenge
Unprecedented amounts of data will need to be secured in new, untested ways. What's the best course in such uncharted territory?
Day 1: Google team at work
Everything from dogs to Darth Vader keeps things lively at the office. June 25, 2007
Day 2: A peek at Yahoo 'Paranoids'
"Paranoids" come in the uppercase and lowercase variety. And then there are the superheroes. June 26, 2007
Day 3: Leading Microsoft's crew
Senior security director heads up a 55-member team that's working on marketing itself inside Microsoft. June 27, 2007
Podcast: The state of Web security
Is Web security where it should be? Where is it headed? CNET News.com talks to some experts.June 25, 2007
Editors: Anne Dujmovic, Mike Ricciuti, Mike Yamamoto
Design: Andrew Ballagh
Production: Jessica Kashiwabara
4 commentsJoin the conversation! Add your comment