(continued from previous page)
(continued from previous page)
A natural with computers, Bejar started working for IBM when he was in his late teens. A link with Apple co-founder Steve Wozniak, still a good friend of Bejar, subsequently led him to King's College London where he got a degree in mathematics while also working at IBM there.
He then moved to the United States to work at a start-up that was building distributed social systems, a transition that brought him a step closer to joining Yahoo nearly a decade ago, initially in billing applications.
"It was ultimately the appeal of helping build and protect things that would be used by many people that got me, and has kept me, at Yahoo," he said.
It's a noble goal that is, of course, easier said than done. "Web applications are available to anyone in the world, so you have to build them to withstand instant scrutiny," Bejar said.
He notes that, in theory, developing secure Web applications isn't any different from building good desktop software. But early PC programs and operating systems didn't take that access into account and therefore weren't designed with constant network connectivity in mind.
Curriculum on security has traditionally focused on topics such as encryption. "Security was not defined as what happens if somebody tries to manipulate your API (application programming interface) with malicious or mischievous intent. Application security has a lot to do with building things that don't behave unexpectedly when by accident or by malice somebody on the outside tries to manipulate them," Bejar said.
"We were aware of a lot of these problems before they even had names," he added. "When they first came around, there wasn't any good prior art available so we had to come up with a response ourselves."
That response includes several homemade tools to identify and track potential security issues in the Web site and online applications. One such tool, called Scanmus, hunts for cross-site scripting issues. The tool is named after Rasmus Lerdorf, the original creator of the PHP scripting language and a member of the Yahoo Paranoids.
Others include the Code Ferret, which inspects code and reports bugs to Pepe, a bug-tracking system named after a character similar to Jiminy Cricket in a version of Pinocchio.
The tools were tailored to work with Yahoo's systems. The company had tried some commercial applications but found that it would take too much time to retrofit those to fit its needs.
It is a laborious task, but Bejar knows that some things are worth waiting for. When he went to work at Yahoo in 1998, he was restoring a 1973 Porsche Carrera that he named "El Pato"--Spanish for "The Duck."
"El Pato was built as Yahoo took off. I built or rebuilt almost every part of it, under the supervision of Bob, my mechanic," Bejar said. "To some extent, I see El Pato as analogous to my time here at Yahoo. The security program has taken time to put together and it requires a lot of thought and understanding of how the different parts interact."
Now he says it may be time for Yahoo to share that hard work outside the company.
"We're all in this together," Bejar said. "If anything were to happen to any one of us, all are impacted."
Day 1: Inventing the wheel
Leading the charge in Web security at Google, vice president of engineering stands at the forefront of a critical period.
Day 2: It pays to be paranoid
All Yahoo employees are encouraged to be at least a little paranoid. Meet the man who was the first to put it in a job title.
Day 3: Lessons from the desktop
While similar rules apply to Web security, the differences are crucial and the stakes are high, says Microsoft senior security director.
Day 4: Web security challenge
Unprecedented amounts of data will need to be secured in new, untested ways. What's the best course in such uncharted territory?
Day 1: Google team at work
Everything from dogs to Darth Vader keeps things lively at the office. June 25, 2007
Day 2: A peek at Yahoo 'Paranoids'
"Paranoids" come in the uppercase and lowercase variety. And then there are the superheroes. June 26, 2007
Day 3: Leading Microsoft's crew
Senior security director heads up a 55-member team that's working on marketing itself inside Microsoft. June 27, 2007
Podcast: The state of Web security
Is Web security where it should be? Where is it headed? CNET News.com talks to some experts.June 25, 2007
Editors: Anne Dujmovic, Mike Ricciuti, Mike Yamamoto
Design: Andrew Ballagh
Production: Jessica Kashiwabara
7 commentsJoin the conversation! Add your comment