Google's search for security

(continued from previous page)

worm. "This worm is not attacking Google, but using Google to attack others. They weren't ready for that."

Google says it knows that security needs to be a primary focus for the company.

Mayer stressed that Google has rigorously tested its products internally and conducts extensive beta tests. In fact, many of the products in which vulnerabilities are found are beta versions the company is publicly testing. The desktop search application in which university researchers found a flaw was in beta. Moreover, Google reacted quickly to that report, Mayer said. Still, she stressed that the battle is far from over.

"Security is something that we have to have even more renewed focus on," Mayer said.

The company has put some thought into its product security. When a flaw was found in its desktop search software, Google had the tools to automatically update all its users. That's a lesson that took a few years for Microsoft--and Windows users--to learn. Where Windows Update used to always ask before installing any new updates, with the latest security update to Windows XP, known as Service Pack 2, the default setting calls for automatic installation.

"Market leaders have to realize that customers have to be protected against potential risks...without making it an onerous process for them," said Microsoft's Wilson. "The ideal scenario is that those kinds of attacks would not be able to penetrate, or you closed down the vectors."

Like Microsoft, Google has made a broad push to hire security people. Nearly a dozen job listings for software security engineers and operations security are posted on the company's site.

Those security professionals will have their work cut out for them, because some of Google's security risks are hardly any different from their security products, said Mike Murray, director of vulnerability research for NCircle.

"There is a tough balance between providing information to customers and providing information that can be harmful in the hands of an attacker," he said. "Many times, the product they provide is no different from the vulnerability itself."

In the latest incident, a proactive security expert could search for Web servers running a vulnerable version of phpBB to warn the Webmaster of the issue. To Google, however, such a search would look no different than an attack.

"You are at a point where intention of the user becomes the actual qualifier," Murray said. "Google doesn't know who is sitting on the other side of the request."

Even for Google, divining intent may be too tall an order. Yet the company is all about finding the right information, so it's unlikely to give up easily.

"Google's mission is to organize the world's information," Mayer said. "To make information accessible and usable, it's implicit that you have to do it in a secure way. That makes security a precursor to our mission."