(continued from previous page)
(continued from previous page)
Microsoft, for example, came late to Web security--and to digital security in general. Until well into the 1990s, security was largely an afterthought in Windows, which was not designed with persistent network connectivity in mind.
Once it fully understood the issue's importance, however, Microsoft poured billions of dollars into the protection of client and server software. That effort has been expanded to include Web security as the company has moved more deeply into Web services with its "live" initiative--Microsoft's marketing-speak for its new online properties--which includes Windows Live, the online complement to software on the PC's hard drive.
It's understandable why Microsoft would think it knows best how to address a problem as big as Web security. Not only is it the world's largest software company, but many veterans there believe they have seen it all years before. Back then, they say, it was called desktop security.
Pete Boden, senior director for MSN and Windows Live security, echoes the views of many longtime executives. He argues that a lot of application security problems boil down to the same fundamental source: data input; that is, what people type into an application. Tightly control what can or can't be entered--or "validate" in industry parlance--and you can eliminate the major access point for security breaches.
"If you classified Web vulnerabilities and took out all of those that are related in some form to input validation, I think you'd have a very small number of vulnerabilities left," he said. "I contend that 80 percent of the vulnerabilities that we see are input validation errors."
As a result, Boden believes that Microsoft has a leg up on the competition, having learned quickly about Web security because of its long software history and Trustworthy Computing experience. Like its main rivals, Microsoft has created tools to help developers quash bugs and test the quality of code, such as a program called Anti-XSS that finds cross-site scripting vulnerabilities.
"It wasn't as daunting here as it may have been in some other places," Boden said. "There is a ramp and a learning curve we have to climb, but I think the learning curve for us is steep because of the prior investment we've made in our response process and our security program across the company."
Still, doubts linger. This is the company, after all, that misjudged the significance of the Internet back in the mid-1990s and later underestimated the value of Internet search and digital music.
Will Microsoft get it right with Web security? There's a good chance that it will, simply because there's too much at stake for the company as business moves increasingly to the Web. Moreover, regardless of how effective Microsoft's operations are, millions of consumers and developers will maintain pressure on the company to plug security holes.
Others confronting the Web security issue aren't so sanguine. Google, for one, sees all this as foreign terrain filled with potential land mines that may not even be known yet.
Douglas Merrill, Google's vice president of engineering, says that a scatter-shot approach is often the best bet in this hazy environment. Merrill trusts his company's servers more than the Mac in his office to safeguard his personal information because Google builds more layers of security around its data centers than around individual computers.
"Obviously there are corner cases in each model that you shouldn't go to," he said. "We devote vast quantities of resources to securing the cloud."
Perhaps, but no system is foolproof. Google, Microsoft and Yahoo have all argued that they have hardened servers to withstand attacks, but e-mail worms, phishing attacks and other assaults are still routine.
That's why Yahoo's Bejar argues that more industry collaboration is needed. As an example of a successful corporate arrangement, he cites Yahoo's partnerships with eBay and PayPal, and he would like to reach out more to MSN and Google as well as other industry groups.
It isn't just Web sites and online applications that need better security, Bejar argues. Other factors, such as stronger browser security, could make a huge difference.
There's just one problem: Yahoo doesn't control the browser. "There are challenges being presented by the browser security model that we as an industry need to work on together," Bejar said.
Google is attempting to work around that problem by acquiring some technology that could make Web browsing safer. Microsoft has developed features such as the green bar in Internet Explorer 7 to indicate "trusted" Web sites, part of an initiative that also involves KDE, Mozilla, Opera Software and other browser makers.
All this is a good start, but it's mostly reactive. Security experts at the Big Three companies believe that more needs to be done at the root level of software development, starting at the university level to teach security to the incoming workforce as early as possible.
Universities should offer more courses that bridge the gap between what applications should do and what they can do--an approach to engineering that isn't widely taught today.
Simply put, Bejar says, "We need to make sure that we're on the same page."
Day 1: Inventing the wheel
Leading the charge in Web security at Google, vice president of engineering stands at the forefront of a critical period.
Day 2: It pays to be paranoid
All Yahoo employees are encouraged to be at least a little paranoid. Meet the man who was the first to put it in a job title.
Day 3: Lessons from the desktop
While similar rules apply to Web security, the differences are crucial and the stakes are high, says Microsoft senior security director.
Day 4: Web security challenge
Unprecedented amounts of data will need to be secured in new, untested ways. What's the best course in such uncharted territory?
Day 1: Google team at work
Everything from dogs to Darth Vader keeps things lively at the office. June 25, 2007
Day 2: A peek at Yahoo 'Paranoids'
"Paranoids" come in the uppercase and lowercase variety. And then there are the superheroes. June 26, 2007
Day 3: Leading Microsoft's crew
Senior security director heads up a 55-member team that's working on marketing itself inside Microsoft. June 27, 2007
Podcast: The state of Web security
Is Web security where it should be? Where is it headed? CNET News.com talks to some experts.June 25, 2007
Editors: Anne Dujmovic, Mike Ricciuti, Mike Yamamoto
Design: Andrew Ballagh
Production: Jessica Kashiwabara
6 commentsJoin the conversation! Add your comment