Ad: Manage updates with the Download App
ie8 fix

(continued from previous page)

NEWS.COM SPECIAL REPORT: Wardens of the Web
Tell us what you think about this storyTalkBack    E-mail this story to a friendE-mail    Add to your del.icio.usdel.icio.us    Digg this storyDigg this

(continued from previous page)

Microsoft, for example, came late to Web security--and to digital security in general. Until well into the 1990s, security was largely an afterthought in Windows, which was not designed with persistent network connectivity in mind.

Once it fully understood the issue's importance, however, Microsoft poured billions of dollars into the protection of client and server software. That effort has been expanded to include Web security as the company has moved more deeply into Web services with its "live" initiative--Microsoft's marketing-speak for its new online properties--which includes Windows Live, the online complement to software on the PC's hard drive.

It's understandable why Microsoft would think it knows best how to address a problem as big as Web security. Not only is it the world's largest software company, but many veterans there believe they have seen it all years before. Back then, they say, it was called desktop security.

Special report
Wardens of the Web
In CNET News.com's multipart series, we peek behind the curtain at online giants Yahoo, Google and Microsoft, and the elite corps committed to securing Web applications.

Pete Boden, senior director for MSN and Windows Live security, echoes the views of many longtime executives. He argues that a lot of application security problems boil down to the same fundamental source: data input; that is, what people type into an application. Tightly control what can or can't be entered--or "validate" in industry parlance--and you can eliminate the major access point for security breaches.

"If you classified Web vulnerabilities and took out all of those that are related in some form to input validation, I think you'd have a very small number of vulnerabilities left," he said. "I contend that 80 percent of the vulnerabilities that we see are input validation errors."

As a result, Boden believes that Microsoft has a leg up on the competition, having learned quickly about Web security because of its long software history and Trustworthy Computing experience. Like its main rivals, Microsoft has created tools to help developers quash bugs and test the quality of code, such as a program called Anti-XSS that finds cross-site scripting vulnerabilities.

"It wasn't as daunting here as it may have been in some other places," Boden said. "There is a ramp and a learning curve we have to climb, but I think the learning curve for us is steep because of the prior investment we've made in our response process and our security program across the company."

Still, doubts linger. This is the company, after all, that misjudged the significance of the Internet back in the mid-1990s and later underestimated the value of Internet search and digital music.

Will Microsoft get it right with Web security? There's a good chance that it will, simply because there's too much at stake for the company as business moves increasingly to the Web. Moreover, regardless of how effective Microsoft's operations are, millions of consumers and developers will maintain pressure on the company to plug security holes.

Others confronting the Web security issue aren't so sanguine. Google, for one, sees all this as foreign terrain filled with potential land mines that may not even be known yet.

Douglas Merrill, Google's vice president of engineering, says that a scatter-shot approach is often the best bet in this hazy environment. Merrill trusts his company's servers more than the Mac in his office to safeguard his personal information because Google builds more layers of security around its data centers than around individual computers.

"Obviously there are corner cases in each model that you shouldn't go to," he said. "We devote vast quantities of resources to securing the cloud."

Perhaps, but no system is foolproof. Google, Microsoft and Yahoo have all argued that they have hardened servers to withstand attacks, but e-mail worms, phishing attacks and other assaults are still routine.

That's why Yahoo's Bejar argues that more industry collaboration is needed. As an example of a successful corporate arrangement, he cites Yahoo's partnerships with eBay and PayPal, and he would like to reach out more to MSN and Google as well as other industry groups.

It isn't just Web sites and online applications that need better security, Bejar argues. Other factors, such as stronger browser security, could make a huge difference.

There's just one problem: Yahoo doesn't control the browser. "There are challenges being presented by the browser security model that we as an industry need to work on together," Bejar said.

Google is attempting to work around that problem by acquiring some technology that could make Web browsing safer. Microsoft has developed features such as the green bar in Internet Explorer 7 to indicate "trusted" Web sites, part of an initiative that also involves KDE, Mozilla, Opera Software and other browser makers.

All this is a good start, but it's mostly reactive. Security experts at the Big Three companies believe that more needs to be done at the root level of software development, starting at the university level to teach security to the incoming workforce as early as possible.

Universities should offer more courses that bridge the gap between what applications should do and what they can do--an approach to engineering that isn't widely taught today.

Simply put, Bejar says, "We need to make sure that we're on the same page."  


6 comments

Join the conversation! Add your comment
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

Previous page
Page 1 | 2