By Mike Ricciuti and Joris Evers
Staff writers, CNET News.com
June 28, 2007
The Web, for better or worse, has arguably become the equivalent of a
massive public agency. It is the repository for consumer information and
services of the most sensitive and important nature, ranging from
medical records to financial investments.
Web-based services are supplanting traditional desktop software at a
blinding pace, taking over terabytes of personal data in the process.
Unlimited e-mail storage and Web 2.0-style start-ups will accelerate
that trend even more.
Yet access to those massive and indispensable resources is generally
gated by a handful of large, profit-driven corporations. Microsoft,
Google, Yahoo, America Online and other leading companies have largely
built the services that much of the world has come to rely on in
everyday life--making them, in effect, the guardians of our most
Which raises an obvious question: Is that a good idea? The most
disturbing answer, if history is any guide, is that we may not have much
of a choice.
It's disturbing on many levels, but mostly because the industry is
basically making up Web security as it goes along. As security
executives from Microsoft, Google and Yahoo attest, the companies are in
many cases adapting standard desktop security techniques to new Web
applications. Sometimes that works; sometimes it doesn't.
"Data is now available online, all the time," said Billy Hoffman, lead
researcher at Web security specialist SPI Dynamics. "It's a great big
Hoffman's job is to understand where Web security breaks down. The way
he sees it, the Big Three Web properties are doing a fairly good job
with security, at least on the server end of the equation. The wild card
is what happens to that data once it leaves the Googleplex, travels
across the network, and gets cached on users' desktops.
Since 1999, more than 90 percent of all documents have been produced
digitally; more than 42 percent of all U.S. Internet users have
Web-based banking services; and more than 160 billion e-mail messages
are sent daily, according to computer services firm CSC and other
sources. As the data piles up, it becomes harder to secure bits flowing
between servers and desktop Web applications, not to mention the
additional complexity of mashups and other Web 2.0 technologies.
Simultaneously, attacks are on the rise.
The bottom line is that we're entering unexplored territory where an
unprecedented number of people depend on a growing number of relatively
new applications, some built with still-evolving technologies, to handle
enormous amounts of personal data fragmented across a multiplicity of
servers and networks worldwide. Against this daunting backdrop--and amid
concerns over corporate control--calls for some kind of independent
oversight are inevitable.
"We have information on security practices out there. The disconnect is
that we don't have an intermediary that says how these things apply to
you as you build Web 2.0 or other applications," Hoffman said. "Will a
nonprofit or some other group arise that tries to publish standards?
Probably. We definitely need a central clearing house of good
information, because there is a lot of bad information out there."
Even some executives at the companies that now control the bulk of Web
security say more industry cooperation is needed.
"Security is in the best interest of the whole industry," said Arturo
Bejar, the "Chief Paranoid Yahoo." "We're evaluating ways to share
either knowledge or tools to give back to the community."
A seemingly obvious course to pursue, short of government intervention,
would be some form of industry-wide cooperation ostensibly designed to
avoid the development of a monopoly or cartel. That approach, though, is
easier said than done: it's been tried many times before with other
digital technologies, only to end up in disarray or under the de facto
control of a principal stakeholder or group of interested parties.
In a word, think Windows. More than a decade of litigation and untold
millions in taxpayer money has done little to loosen Microsoft's control
over the operating system that more than 90 percent of the world's
personal computer users rely on daily.
In the early days of the Web, a nonprofit agency called the World Wide
Web Consortium was born of the altruistic notion that all interested
parties could cooperate and compromise as needed for the good of the
medium. The so-called W3C has done much good in defining Web standards
where none existed and by serving as a trusted authority in the
Internet's Wild West beginnings. At the same time, much of the W3C's
activity is focused on standards defined by the very companies that in
many instances most benefit from their creation.
The W3C probably isn't the right organization to be charged with Web
security oversight anyway because it essentially defines tools used by
others. Security breaches usually involve how those technologies are
used, not necessarily the tools themselves.
"Standard bodies should focus on making very clear standards that set
good baselines," Hoffman said. "The worst thing in the world that a
standard can do is to be ambiguous, and there are a number of standards
out there that are ambiguous."
Other organizations, like the Web Application Security Consortium, are
attempting to define the most secure ways to develop applications. In
addition, Web developers throughout the industry are sharing more
research and security "best practices" through sites like XSSed.org,
which publishes information on new cross-site scripting vulnerabilities
and how to fix them.
But such efforts can go only so far. The Web giants have built out their
properties over the years despite security problems, and new bugs
continue to arise almost daily.
Microsoft, for example, came late to Web security--and to digital
security in general. Until well into the 1990s, security was largely an
afterthought in Windows, which was not designed with persistent network
connectivity in mind.
Once it fully understood the issue's importance, however, Microsoft
poured billions of dollars into the protection of client and server
software. That effort has been expanded to include Web security as the
company has moved more deeply into Web services with its "live"
initiative--Microsoft's marketing-speak for its new online
properties--which includes Windows Live, the online complement to
software on the PC's hard drive.
It's understandable why Microsoft would think it knows best how to
address a problem as big as Web security. Not only is it the world's
largest software company, but many veterans there believe they have seen
it all years before. Back then, they say, it was called desktop
Pete Boden, senior director for MSN and Windows Live security, echoes
the views of many longtime executives. He argues that a lot of
application security problems boil down to the same fundamental source:
data input; that is, what people type into an application. Tightly
control what can or can't be entered--or "validate" in industry
parlance--and you can eliminate the major access point for security
"If you classified Web vulnerabilities and took out all of those that
are related in some form to input validation, I think you'd have a very
small number of vulnerabilities left," he said. "I contend that 80
percent of the vulnerabilities that we see are input validation errors."
As a result, Boden believes that Microsoft has a leg up on the
competition, having learned quickly about Web security because of its
long software history and Trustworthy Computing experience. Like its
main rivals, Microsoft has created tools to help developers quash bugs
and test the quality of code, such as a program called Anti-XSS that
finds cross-site scripting vulnerabilities.
"It wasn't as daunting here as it may have been in some other places,"
Boden said. "There is a ramp and a learning curve we have to climb, but
I think the learning curve for us is steep because of the prior
investment we've made in our response process and our security program
across the company."
Still, doubts linger. This is the company, after all, that misjudged the
significance of the Internet back in the mid-1990s and later
underestimated the value of Internet search and digital music.
Will Microsoft get it right with Web security? There's a good chance
that it will, simply because there's too much at stake for the company
as business moves increasingly to the Web. Moreover, regardless of how
effective Microsoft's operations are, millions of consumers and
developers will maintain pressure on the company to plug security holes.
Others confronting the Web security issue aren't so sanguine. Google,
for one, sees all this as foreign terrain filled with potential land
mines that may not even be known yet.
Douglas Merrill, Google's vice president of engineering, says that a
scatter-shot approach is often the best bet in this hazy environment.
Merrill trusts his company's servers more than the Mac in his office to
safeguard his personal information because Google builds more layers of
security around its data centers than around individual computers.
"Obviously there are corner cases in each model that you shouldn't go
to," he said. "We devote vast quantities of resources to securing the
Perhaps, but no system is foolproof. Google, Microsoft and Yahoo have
all argued that they have hardened servers to withstand attacks, but
e-mail worms, phishing attacks and other assaults are still routine.
That's why Yahoo's Bejar argues that more industry collaboration is
needed. As an example of a successful corporate arrangement, he cites
Yahoo's partnerships with eBay and PayPal, and he would like to reach
out more to MSN and Google as well as other industry groups.
It isn't just Web sites and online applications that need better
security, Bejar argues. Other factors, such as stronger browser
security, could make a huge difference.
There's just one problem: Yahoo doesn't control the browser. "There are
challenges being presented by the browser security model that we as an
industry need to work on together," Bejar said.
Google is attempting to work around that problem by acquiring some
technology that could make Web browsing safer. Microsoft has developed
features such as the green bar in Internet Explorer 7 to indicate
"trusted" Web sites, part of an initiative that also involves KDE,
Mozilla, Opera Software and other browser makers.
All this is a good start, but it's mostly reactive. Security experts at
the Big Three companies believe that more needs to be done at the root
level of software development, starting at the university level to teach
security to the incoming workforce as early as possible.
Universities should offer more courses that bridge the gap between what
applications should do and what they can do--an approach to engineering
that isn't widely taught today.
Simply put, Bejar says, "We need to make sure that we're on the same
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com