In every revolution, ideals eventually give way to reality--even in the virtual world.
Amid all the optimism of the Digital Age, the interactivity and social networking of Web 2.0 applications were supposed to realize the full potential of the Internet as a medium of the future. Yet even in its infancy, this new era faces a daunting challenge in the form of security.
The job of policing the Web has been left to the corporate world by default. The burden weighs heavily on a trio of companies in particular: Google, Yahoo and Microsoft--the three firms with the most traffic on the Web. Their work, alone or in concert, will likely define what kind of security can be expected for e-mail, purchases, bill payment, other financial transactions and practically anything else involving personal information of the most sensitive nature.
These three companies typically avoid public discussions about security, for fear of divulging information that could unwittingly tip off hackers. But they agreed to give CNET News.com a rare view of their internal operations and efforts to defend their technologies and online properties.
Despite their shared predicament, the companies have vastly different businesses, cultures, philosophies and methodologies that are mirrored in the way they approach the monumental problem of Web security. Specifically, three men--those chosen by their respective employers to lead the charge--embody these corporate traits.
This special report examines their work, how it reflects their companies' mentality, and what it will mean for generations to come. They are the "Wardens of the Web."
Day 1: Inventing the wheel
Leading the charge in Web security at Google, vice president of engineering stands at the forefront of a critical period.
Day 2: It pays to be paranoid
All Yahoo employees are encouraged to be at least a little paranoid. Meet the man who was the first to put it in a job title.
Day 3: Lessons from the desktop
While similar rules apply to Web security, the differences are crucial and the stakes are high, says Microsoft senior security director.
Day 4: Web security challenge
Unprecedented amounts of data will need to be secured in new, untested ways. What's the best course in such uncharted territory?
Day 1: Google team at work
Everything from dogs to Darth Vader keeps things lively at the office. June 25, 2007
Day 2: A peek at Yahoo 'Paranoids'
"Paranoids" come in the uppercase and lowercase variety. And then there are the superheroes. June 26, 2007
Day 3: Leading Microsoft's crew
Senior security director heads up a 55-member team that's working on marketing itself inside Microsoft. June 27, 2007
Podcast: The state of Web security
Is Web security where it should be? Where is it headed? CNET News.com talks to some experts.June 25, 2007
Wired but not Web 2.0? That's normal, study says
Wrangling Web 2.0 at S.F. expo
Bug hunters face online apps dilemma
Insecurity complex on the Internet
Google deal highlights Web 2.0 boom
Divide between Net, desktop disappearing
Web 2.0 threats and risks for financial services
Security remains a challenge for browser developers
Is Really Simple Syndication really secure?
Study: Security cues on banking sites ignored
Botnet battlers call for Net driver's license
Editors: Anne Dujmovic, Mike Ricciuti, Mike Yamamoto
Design: Andrew Ballagh
Production: Jessica Kashiwabara
2. Ban ActiveX-Redundant because of #1, but it still needs to be said.
3. Ban PHP-Security is job none at Zend
4. Don't let amateurs create dynamic pages, or use scripting languages.
5. Force any website or web service to pass at least a basic security evaluation. Yes, it will add 3 or 4 figures to the cost of developing a site, but will save far more then that in the long run.
6. Require a basic security certification to connect to the internet.
7. Teach business people without a clue that security features is not the same thing is a secure feature.
Yes, some of these are draconian, but it will significantly help online security.
Network security depends on the weakest link. That is why it fails time and time again.
How many people on the job fall for social engineering tricks? It doesn't matter how much money you throw into security when 1 employee can unwittingly invalidate it all.
How many people actually know what a SSL certificate is, much less know when to accept or reject a certificate? The SSL protocol is entirely dependent on people who don't know enough to intelligently use it.
In short, people need education and to stop using inherently unsecure software like Windows and PHP.
if you want the real story behind all three security teams then approach me and i'll give you the employee names and evidence to back everything up.
n3td3v
What these people do in office and what they do and who they speak to out of office are completely different things.
While these teams play the good guys at work, they are the actual elite skilled users that the government are keeping an eye on outside of their corporate cubes!!!
I have spoken to many people from these companies and they are two faced in so many ways, and they are more than whitehat, they where multi colored hats!!!
The brand name doesn't know whats going on, but there are elements who know whats going on, but are too scared to speak up because of job and career insecurites, so they jsut shut up and turn a blind eye.
If employees weren't scared to speak out against known rogue employees, the brand name would be far more secure from security breaches.