ie8 fix

(continued from previous page)

News.com special report:

Wardens of the Web

Tell us what you think about this storyTalkBack    E-mail this story to a friendE-mail    Add to your del.icio.usdel.icio.us    Digg this storyDigg this

(continued from previous page)

A natural with computers, Bejar started working for IBM when he was in his late teens. A link with Apple co-founder Steve Wozniak, still a good friend of Bejar, subsequently led him to King's College London where he got a degree in mathematics while also working at IBM there.

He then moved to the United States to work at a start-up that was building distributed social systems, a transition that brought him a step closer to joining Yahoo nearly a decade ago, initially in billing applications.

"It was ultimately the appeal of helping build and protect things that would be used by many people that got me, and has kept me, at Yahoo," he said.

It's a noble goal that is, of course, easier said than done. "Web applications are available to anyone in the world, so you have to build them to withstand instant scrutiny," Bejar said.

Special report
Wardens of the Web
In CNET News.com's multipart series, we peek behind the curtain at online giants Yahoo, Google and Microsoft, and the elite corps committed to securing Web applications.

He notes that, in theory, developing secure Web applications isn't any different from building good desktop software. But early PC programs and operating systems didn't take that access into account and therefore weren't designed with constant network connectivity in mind.

Curriculum on security has traditionally focused on topics such as encryption. "Security was not defined as what happens if somebody tries to manipulate your API (application programming interface) with malicious or mischievous intent. Application security has a lot to do with building things that don't behave unexpectedly when by accident or by malice somebody on the outside tries to manipulate them," Bejar said.

"We were aware of a lot of these problems before they even had names," he added. "When they first came around, there wasn't any good prior art available so we had to come up with a response ourselves."

That response includes several homemade tools to identify and track potential security issues in the Web site and online applications. One such tool, called Scanmus, hunts for cross-site scripting issues. The tool is named after Rasmus Lerdorf, the original creator of the PHP scripting language and a member of the Yahoo Paranoids.

Others include the Code Ferret, which inspects code and reports bugs to Pepe, a bug-tracking system named after a character similar to Jiminy Cricket in a version of Pinocchio.

The tools were tailored to work with Yahoo's systems. The company had tried some commercial applications but found that it would take too much time to retrofit those to fit its needs.

It is a laborious task, but Bejar knows that some things are worth waiting for. When he went to work at Yahoo in 1998, he was restoring a 1973 Porsche Carrera that he named "El Pato"--Spanish for "The Duck."

"El Pato was built as Yahoo took off. I built or rebuilt almost every part of it, under the supervision of Bob, my mechanic," Bejar said. "To some extent, I see El Pato as analogous to my time here at Yahoo. The security program has taken time to put together and it requires a lot of thought and understanding of how the different parts interact."

Now he says it may be time for Yahoo to share that hard work outside the company.

"We're all in this together," Bejar said. "If anything were to happen to any one of us, all are impacted."  


12 comments

Join the conversation! Add your comment (Log in or register)
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

Previous page
Page 1 | 2
  • Recently Viewed Products
  • My Lists
  • My Software Updates
  • Promo
  • Log In | Join CNET