(continued from previous page)

One benefit of Web applications is that patching is much easier than traditional PC or server applications. Fixes don't need to be tested on multiple versions of an operating system, as Google knows exactly what its infrastructure is.

The security process has been in place since Google's early days as a search company, Merrill said. Priorities didn't change much as the company grew to be a provider of many other services, including e-mail, calendaring, advertising, online payments and Google Maps, one of the first Web applications to showcase the benefits of Ajax development techniques to a broad audience when it was launched in 2005.

Special report
Wardens of the Web

In CNET News.com's multipart series, we peek behind the curtain at online giants Yahoo, Google and Microsoft, and the elite corps committed to securing Web applications.

"It has been built into our code from early on, mostly because we realize that users' search data is extremely private to them." Merrill said. "Security has been in our DNA from the start, particularly once we started doing the advertising work and had advertisers' credit cards and other important data."

Google has multiple processes to lock down its products. All developers are taught Google's coding style, which includes many security principles. All code is reviewed by another developer and run through a scrubbing tool, aptly called "Lemon," before it is submitted in final form.

Particularly sensitive code, such as for billing applications, is created with extra care and then reused. A developer won't write new billing code for a new application.

Even so, much of the Google security team's time is still spent dealing with bugs in applications--and it relies on the Web at large to help hunt them down. When flaws are discovered, Google has a system in place for outside bug hunters to report them.

Google is the only big Web player that has a special page that acknowledges security researchers for reporting vulnerabilities. Bugs that are found get fixed; if the problem is of a new type, it is added to Lemon to prevent it in the future.

"We're going to find them all, but it is going to be awhile. Until we find them all, new bugs will happen," Merrill said. "As long as we all work together, we can manage the damage done by these bugs."  

Stories

Photo galleries

Day 1: Google team at work
Everything from dogs to Darth Vader keeps things lively at the office. June 25, 2007

Day 2: A peek at Yahoo 'Paranoids'
"Paranoids" come in the uppercase and lowercase variety. And then there are the superheroes. June 26, 2007

Day 3: Leading Microsoft's crew
Senior security director heads up a 55-member team that's working on marketing itself inside Microsoft. June 27, 2007

Podcast

Podcast: The state of Web security
Is Web security where it should be? Where is it headed? CNET News.com talks to some experts.June 25, 2007

Related stories

Web 2.0 madness grips China

Wired but not Web 2.0? That's normal, study says

Wrangling Web 2.0 at S.F. expo

Bug hunters face online apps dilemma

Insecurity complex on the Internet

The security risk in Web 2.0

Google deal highlights Web 2.0 boom

News from around the Web

Divide between Net, desktop disappearing

Don't call it a bubble

Web 2.0 threats and risks for financial services

Security remains a challenge for browser developers

Is Really Simple Syndication really secure?

Study: Security cues on banking sites ignored

Botnet battlers call for Net driver's license

Credits

Editors: Anne Dujmovic, Mike Ricciuti, Mike Yamamoto
Design: Andrew Ballagh
Production: Jessica Kashiwabara