Solving the Web security challenge

- home
- reviews
- news
- downloads
- cnet tv
On TV.com: NARUTO SHIPPUDEN Episode 140: Fate
- log in
- join CNET
- welcome,
- my profile
- log out

(continued from previous page)

NEWS.COM SPECIAL REPORT: Wardens of the Web

TalkBack

E-mail

del.icio.us

Digg this

(continued from previous page)

Microsoft, for example, came late to Web security--and to digital security in general. Until well into the 1990s, security was largely an afterthought in Windows, which was not designed with persistent network connectivity in mind.

Once it fully understood the issue's importance, however, Microsoft poured billions of dollars into the protection of client and server software. That effort has been expanded to include Web security as the company has moved more deeply into Web services with its "live" initiative--Microsoft's marketing-speak for its new online properties--which includes Windows Live, the online complement to software on the PC's hard drive.

It's understandable why Microsoft would think it knows best how to address a problem as big as Web security. Not only is it the world's largest software company, but many veterans there believe they have seen it all years before. Back then, they say, it was called desktop security.

Special report
Wardens of the Web

In CNET News.com's multipart series, we peek behind the curtain at online giants Yahoo, Google and Microsoft, and the elite corps committed to securing Web applications.

Pete Boden, senior director for MSN and Windows Live security, echoes the views of many longtime executives. He argues that a lot of application security problems boil down to the same fundamental source: data input; that is, what people type into an application. Tightly control what can or can't be entered--or "validate" in industry parlance--and you can eliminate the major access point for security breaches.

"If you classified Web vulnerabilities and took out all of those that are related in some form to input validation, I think you'd have a very small number of vulnerabilities left," he said. "I contend that 80 percent of the vulnerabilities that we see are input validation errors."

As a result, Boden believes that Microsoft has a leg up on the competition, having learned quickly about Web security because of its long software history and Trustworthy Computing experience. Like its main rivals, Microsoft has created tools to help developers quash bugs and test the quality of code, such as a program called Anti-XSS that finds cross-site scripting vulnerabilities.

"It wasn't as daunting here as it may have been in some other places," Boden said. "There is a ramp and a learning curve we have to climb, but I think the learning curve for us is steep because of the prior investment we've made in our response process and our security program across the company."

Still, doubts linger. This is the company, after all, that misjudged the significance of the Internet back in the mid-1990s and later underestimated the value of Internet search and digital music.

Will Microsoft get it right with Web security? There's a good chance that it will, simply because there's too much at stake for the company as business moves increasingly to the Web. Moreover, regardless of how effective Microsoft's operations are, millions of consumers and developers will maintain pressure on the company to plug security holes.

Others confronting the Web security issue aren't so sanguine. Google, for one, sees all this as foreign terrain filled with potential land mines that may not even be known yet.

Douglas Merrill, Google's vice president of engineering, says that a scatter-shot approach is often the best bet in this hazy environment. Merrill trusts his company's servers more than the Mac in his office to safeguard his personal information because Google builds more layers of security around its data centers than around individual computers.

"Obviously there are corner cases in each model that you shouldn't go to," he said. "We devote vast quantities of resources to securing the cloud."

Perhaps, but no system is foolproof. Google, Microsoft and Yahoo have all argued that they have hardened servers to withstand attacks, but e-mail worms, phishing attacks and other assaults are still routine.

That's why Yahoo's Bejar argues that more industry collaboration is needed. As an example of a successful corporate arrangement, he cites Yahoo's partnerships with eBay and PayPal, and he would like to reach out more to MSN and Google as well as other industry groups.

It isn't just Web sites and online applications that need better security, Bejar argues. Other factors, such as stronger browser security, could make a huge difference.

There's just one problem: Yahoo doesn't control the browser. "There are challenges being presented by the browser security model that we as an industry need to work on together," Bejar said.

Google is attempting to work around that problem by acquiring some technology that could make Web browsing safer. Microsoft has developed features such as the green bar in Internet Explorer 7 to indicate "trusted" Web sites, part of an initiative that also involves KDE, Mozilla, Opera Software and other browser makers.

All this is a good start, but it's mostly reactive. Security experts at the Big Three companies believe that more needs to be done at the root level of software development, starting at the university level to teach security to the incoming workforce as early as possible.

Universities should offer more courses that bridge the gap between what applications should do and what they can do--an approach to engineering that isn't widely taught today.

Simply put, Bejar says, "We need to make sure that we're on the same page."

Stories

Day 1: Inventing the wheel
Leading the charge in Web security at Google, vice president of engineering stands at the forefront of a critical period.

Day 2: It pays to be paranoid
All Yahoo employees are encouraged to be at least a little paranoid. Meet the man who was the first to put it in a job title.

Day 3: Lessons from the desktop
While similar rules apply to Web security, the differences are crucial and the stakes are high, says Microsoft senior security director.

Day 4: Web security challenge
Unprecedented amounts of data will need to be secured in new, untested ways. What's the best course in such uncharted territory?

Photo galleries

Day 1: Google team at work
Everything from dogs to Darth Vader keeps things lively at the office. June 25, 2007

Day 2: A peek at Yahoo 'Paranoids'
"Paranoids" come in the uppercase and lowercase variety. And then there are the superheroes. June 26, 2007

Day 3: Leading Microsoft's crew
Senior security director heads up a 55-member team that's working on marketing itself inside Microsoft. June 27, 2007

Podcast

Podcast: The state of Web security
Is Web security where it should be? Where is it headed? CNET News.com talks to some experts.June 25, 2007

News from around the Web

Divide between Net, desktop disappearing

Don't call it a bubble

Web 2.0 threats and risks for financial services

Security remains a challenge for browser developers

Is Really Simple Syndication really secure?

Study: Security cues on banking sites ignored

Botnet battlers call for Net driver's license

Credits

Editors: Anne Dujmovic, Mike Ricciuti, Mike Yamamoto
Design: Andrew Ballagh
Production: Jessica Kashiwabara

Add a Comment (Log in or register) (7 Comments)

The Web is obsolete...Time for a New Slate Approach
by guyfrom2006 June 28, 2007 4:59 AM PDT: We already have ATMS, VPNs, Airline Reservation Systems, etc that do a far better job a securing information than the WEB.

That calls for a completely fresh approach towards solving data and application security of online applications.

Just because a few large companies have invested in the Web Platform does not mean users have to continue using obsolete stuff.

Move over Web, welcome the Alternative....

I see one round the corner...maybe 2008 and it called NetAlter; Like this Reply to this comment

What Web?
by jack1260 June 28, 2007 9:24 AM PDT: Internet security is simple. Hardware reset. There is no logical software firewall. THere is a real wall called, "OFF."

The cell phone is rapidly burning permanent, read-only memory chips from the different internet software applications as we communicate (which is the original reason that Honeywell, IBM, and others created software, that is to logically conclude an application with finished hardware) and I am not sure if the world wide web will be good for much more than using cell phones and pods (designer hardware.) And the occasional laptop or desktop computer may fit in for a while, in the near future, but the thrill is gone.; Like this Reply to this comment

totally safe is done!!!
by Steve Hirst June 28, 2007 9:46 AM PDT: Total safety and security, no need for virus nor trojan protection, no way to get cookies, spyware... no software needed. The user does nothing except surf and purchase through an in-direct portal. US Patent Number: 7,111,078 the summary is at www.notme.com; Like this Reply to this comment

THE BOTTOM LINE
by n3td3v June 28, 2007 10:49 AM PDT: the information security director for Yahoo wants MSN and Google to share intelligence on hackers sending in information that Yahoo should be aware of, and Yahoo want MSN, Google to share bugs reported to them that may be a new unseen before attack vector that would be important for Yahoo to know. The problem is a lot of the time companies keep security information within the company if details of a hack on their network hasn't already leaked out to the media. In short, Yahoo's director of information security is paranoid that they aren't being told everything they feel they should know, even though the company Yahoo has off the record contacts within both MSN and Google, yet the information security director for Yahoo would like more official channels of intelligence setup to share information on cutting edge hacks and hacker groups alike with a vested interest in Yahoo-like websites and their applications.; Like this Reply to this comment