Solving the Web security challenge

Unprecedented amounts of data will need to be secured in new, untested ways. What's the best course through such uncharted territory?

The Web, for better or worse, has arguably become the equivalent of a massive public agency. It is the repository for consumer information and services of the most sensitive and important nature, ranging from medical records to financial investments.

Web-based services are supplanting traditional desktop software at a blinding pace, taking over terabytes of personal data in the process. Unlimited e-mail storage and Web 2.0-style start-ups will accelerate that trend even more.

Yet access to those massive and indispensable resources is generally gated by a handful of large, profit-driven corporations. Microsoft, Google, Yahoo, America Online and other leading companies have largely built the services that much of the world has come to rely on in everyday life--making them, in effect, the guardians of our most sensitive information.

Which raises an obvious question: Is that a good idea? The most disturbing answer, if history is any guide, is that we may not have much of a choice.

Listen up

Podcast: Web security
The relatively new world of online applications is grappling with security issues. Is Web security where it should be? And where should it be going?


Download mp3 (9.6MB)

It's disturbing on many levels, but mostly because the industry is basically making up Web security as it goes along. As security executives from Microsoft, Google and Yahoo attest, the companies are in many cases adapting standard desktop security techniques to new Web applications. Sometimes that works; sometimes it doesn't.

"Data is now available online, all the time," said Billy Hoffman, lead researcher at Web security specialist SPI Dynamics. "It's a great big target."

Hoffman's job is to understand where Web security breaks down. The way he sees it, the Big Three Web properties are doing a fairly good job with security, at least on the server end of the equation. The wild card is what happens to that data once it leaves the Googleplex, travels across the network, and gets cached on users' desktops.

Since 1999, more than 90 percent of all documents have been produced digitally; more than 42 percent of all U.S. Internet users have Web-based banking services; and more than 160 billion e-mail messages are sent daily, according to computer services firm CSC and other sources. As the data piles up, it becomes harder to secure bits flowing between servers and desktop Web applications, not to mention the additional complexity of mashups and other Web 2.0 technologies. Simultaneously, attacks are on the rise.

The bottom line is that we're entering unexplored territory where an unprecedented number of people depend on a growing number of relatively new applications, some built with still-evolving technologies, to handle enormous amounts of personal data fragmented across a multiplicity of servers and networks worldwide. Against this daunting backdrop--and amid concerns over corporate control--calls for some kind of independent oversight are inevitable.

"We have information on security practices out there. The disconnect is that we don't have an intermediary that says how these things apply to you as you build Web 2.0 or other applications," Hoffman said. "Will a nonprofit or some other group arise that tries to publish standards? Probably. We definitely need a central clearing house of good information, because there is a lot of bad information out there."

Even some executives at the companies that now control the bulk of Web security say more industry cooperation is needed.

"Security is in the best interest of the whole industry," said Arturo Bejar, the "Chief Paranoid Yahoo." "We're evaluating ways to share either knowledge or tools to give back to the community."

A seemingly obvious course to pursue, short of government intervention, would be some form of industry-wide cooperation ostensibly designed to avoid the development of a monopoly or cartel. That approach, though, is easier said than done: it's been tried many times before with other digital technologies, only to end up in disarray or under the de facto control of a principal stakeholder or group of interested parties.

In a word, think Windows. More than a decade of litigation and untold millions in taxpayer money has done little to loosen Microsoft's control over the operating system that more than 90 percent of the world's personal computer users rely on daily.

In the early days of the Web, a nonprofit agency called the World Wide Web Consortium was born of the altruistic notion that all interested parties could cooperate and compromise as needed for the good of the medium. The so-called W3C has done much good in defining Web standards where none existed and by serving as a trusted authority in the Internet's Wild West beginnings. At the same time, much of the W3C's activity is focused on standards defined by the very companies that in many instances most benefit from their creation.

The W3C probably isn't the right organization to be charged with Web security oversight anyway because it essentially defines tools used by others. Security breaches usually involve how those technologies are used, not necessarily the tools themselves.

"Standard bodies should focus on making very clear standards that set good baselines," Hoffman said. "The worst thing in the world that a standard can do is to be ambiguous, and there are a number of standards out there that are ambiguous."

Other organizations, like the Web Application Security Consortium, are attempting to define the most secure ways to develop applications. In addition, Web developers throughout the industry are sharing more research and security "best practices" through sites like XSSed.org, which publishes information on new cross-site scripting vulnerabilities and how to fix them.

But such efforts can go only so far. The Web giants have built out their properties over the years despite security problems, and new bugs continue to arise almost daily.

The Web, for better or worse, has arguably become the equivalent of a massive public agency. It is the repository for consumer information and services of the most sensitive and important nature, ranging from medical records to financial investments.

Web-based services are supplanting traditional desktop software at a blinding pace, taking over terabytes of personal data in the process. Unlimited e-mail storage and Web 2.0-style start-ups will accelerate that trend even more.

Yet access to those massive and indispensable resources is generally gated by a handful of large, profit-driven corporations. Microsoft, Google, Yahoo, America Online and other leading companies have largely built the services that much of the world has come to rely on in everyday life--making them, in effect, the guardians of our most sensitive information.

Which raises an obvious question: Is that a good idea? The most disturbing answer, if history is any guide, is that we may not have much of a choice.

Listen up

Podcast: Web security
The relatively new world of online applications is grappling with security issues. Is Web security where it should be? And where should it be going?


Download mp3 (9.6MB)

It's disturbing on many levels, but mostly because the industry is basically making up Web security as it goes along. As security executives from Microsoft, Google and Yahoo attest, the companies are in many cases adapting standard desktop security techniques to new Web applications. Sometimes that works; sometimes it doesn't.

"Data is now available online, all the time," said Billy Hoffman, lead researcher at Web security specialist SPI Dynamics. "It's a great big target."

Hoffman's job is to understand where Web security breaks down. The way he sees it, the Big Three Web properties are doing a fairly good job with security, at least on the server end of the equation. The wild card is what happens to that data once it leaves the Googleplex, travels across the network, and gets cached on users' desktops.

Since 1999, more than 90 percent of all documents have been produced digitally; more than 42 percent of all U.S. Internet users have Web-based banking services; and more than 160 billion e-mail messages are sent daily, according to computer services firm CSC and other sources. As the data piles up, it becomes harder to secure bits flowing between servers and desktop Web applications, not to mention the additional complexity of mashups and other Web 2.0 technologies. Simultaneously, attacks are on the rise.

The bottom line is that we're entering unexplored territory where an unprecedented number of people depend on a growing number of relatively new applications, some built with still-evolving technologies, to handle enormous amounts of personal data fragmented across a multiplicity of servers and networks worldwide. Against this daunting backdrop--and amid concerns over corporate control--calls for some kind of independent oversight are inevitable.

"We have information on security practices out there. The disconnect is that we don't have an intermediary that says how these things apply to you as you build Web 2.0 or other applications," Hoffman said. "Will a nonprofit or some other group arise that tries to publish standards? Probably. We definitely need a central clearing house of good information, because there is a lot of bad information out there."

Even some executives at the companies that now control the bulk of Web security say more industry cooperation is needed.

"Security is in the best interest of the whole industry," said Arturo Bejar, the "Chief Paranoid Yahoo." "We're evaluating ways to share either knowledge or tools to give back to the community."

A seemingly obvious course to pursue, short of government intervention, would be some form of industry-wide cooperation ostensibly designed to avoid the development of a monopoly or cartel. That approach, though, is easier said than done: it's been tried many times before with other digital technologies, only to end up in disarray or under the de facto control of a principal stakeholder or group of interested parties.

In a word, think Windows. More than a decade of litigation and untold millions in taxpayer money has done little to loosen Microsoft's control over the operating system that more than 90 percent of the world's personal computer users rely on daily.

In the early days of the Web, a nonprofit agency called the World Wide Web Consortium was born of the altruistic notion that all interested parties could cooperate and compromise as needed for the good of the medium. The so-called W3C has done much good in defining Web standards where none existed and by serving as a trusted authority in the Internet's Wild West beginnings. At the same time, much of the W3C's activity is focused on standards defined by the very companies that in many instances most benefit from their creation.

The W3C probably isn't the right organization to be charged with Web security oversight anyway because it essentially defines tools used by others. Security breaches usually involve how those technologies are used, not necessarily the tools themselves.

"Standard bodies should focus on making very clear standards that set good baselines," Hoffman said. "The worst thing in the world that a standard can do is to be ambiguous, and there are a number of standards out there that are ambiguous."

Other organizations, like the Web Application Security Consortium, are attempting to define the most secure ways to develop applications. In addition, Web developers throughout the industry are sharing more research and security "best practices" through sites like XSSed.org, which publishes information on new cross-site scripting vulnerabilities and how to fix them.

But such efforts can go only so far. The Web giants have built out their properties over the years despite security problems, and new bugs continue to arise almost daily.

Microsoft, for example, came late to Web security--and to digital security in general. Until well into the 1990s, security was largely an afterthought in Windows, which was not designed with persistent network connectivity in mind.

Once it fully understood the issue's importance, however, Microsoft poured billions of dollars into the protection of client and server software. That effort has been expanded to include Web security as the company has moved more deeply into Web services with its "live" initiative--Microsoft's marketing-speak for its new online properties--which includes Windows Live, the online complement to software on the PC's hard drive.

It's understandable why Microsoft would think it knows best how to address a problem as big as Web security. Not only is it the world's largest software company, but many veterans there believe they have seen it all years before. Back then, they say, it was called desktop security.

Special report
Wardens of the Web
In CNET News.com's multipart series, we peek behind the curtain at online giants Yahoo, Google and Microsoft, and the elite corps committed to securing Web applications.

Pete Boden, senior director for MSN and Windows Live security, echoes the views of many longtime executives. He argues that a lot of application security problems boil down to the same fundamental source: data input; that is, what people type into an application. Tightly control what can or can't be entered--or "validate" in industry parlance--and you can eliminate the major access point for security breaches.

"If you classified Web vulnerabilities and took out all of those that are related in some form to input validation, I think you'd have a very small number of vulnerabilities left," he said. "I contend that 80 percent of the vulnerabilities that we see are input validation errors."

As a result, Boden believes that Microsoft has a leg up on the competition, having learned quickly about Web security because of its long software history and Trustworthy Computing experience. Like its main rivals, Microsoft has created tools to help developers quash bugs and test the quality of code, such as a program called Anti-XSS that finds cross-site scripting vulnerabilities.

"It wasn't as daunting here as it may have been in some other places," Boden said. "There is a ramp and a learning curve we have to climb, but I think the learning curve for us is steep because of the prior investment we've made in our response process and our security program across the company."

Still, doubts linger. This is the company, after all, that misjudged the significance of the Internet back in the mid-1990s and later underestimated the value of Internet search and digital music.

Will Microsoft get it right with Web security? There's a good chance that it will, simply because there's too much at stake for the company as business moves increasingly to the Web. Moreover, regardless of how effective Microsoft's operations are, millions of consumers and developers will maintain pressure on the company to plug security holes.

Others confronting the Web security issue aren't so sanguine. Google, for one, sees all this as foreign terrain filled with potential land mines that may not even be known yet.

Douglas Merrill, Google's vice president of engineering, says that a scatter-shot approach is often the best bet in this hazy environment. Merrill trusts his company's servers more than the Mac in his office to safeguard his personal information because Google builds more layers of security around its data centers than around individual computers.

"Obviously there are corner cases in each model that you shouldn't go to," he said. "We devote vast quantities of resources to securing the cloud."

Perhaps, but no system is foolproof. Google, Microsoft and Yahoo have all argued that they have hardened servers to withstand attacks, but e-mail worms, phishing attacks and other assaults are still routine.

That's why Yahoo's Bejar argues that more industry collaboration is needed. As an example of a successful corporate arrangement, he cites Yahoo's partnerships with eBay and PayPal, and he would like to reach out more to MSN and Google as well as other industry groups.

It isn't just Web sites and online applications that need better security, Bejar argues. Other factors, such as stronger browser security, could make a huge difference.

There's just one problem: Yahoo doesn't control the browser. "There are challenges being presented by the browser security model that we as an industry need to work on together," Bejar said.

Google is attempting to work around that problem by acquiring some technology that could make Web browsing safer. Microsoft has developed features such as the green bar in Internet Explorer 7 to indicate "trusted" Web sites, part of an initiative that also involves KDE, Mozilla, Opera Software and other browser makers.

All this is a good start, but it's mostly reactive. Security experts at the Big Three companies believe that more needs to be done at the root level of software development, starting at the university level to teach security to the incoming workforce as early as possible.

Universities should offer more courses that bridge the gap between what applications should do and what they can do--an approach to engineering that isn't widely taught today.

Simply put, Bejar says, "We need to make sure that we're on the same page."

Microsoft, for example, came late to Web security--and to digital security in general. Until well into the 1990s, security was largely an afterthought in Windows, which was not designed with persistent network connectivity in mind.

Once it fully understood the issue's importance, however, Microsoft poured billions of dollars into the protection of client and server software. That effort has been expanded to include Web security as the company has moved more deeply into Web services with its "live" initiative--Microsoft's marketing-speak for its new online properties--which includes Windows Live, the online complement to software on the PC's hard drive.

It's understandable why Microsoft would think it knows best how to address a problem as big as Web security. Not only is it the world's largest software company, but many veterans there believe they have seen it all years before. Back then, they say, it was called desktop security.

Special report
Wardens of the Web
In CNET News.com's multipart series, we peek behind the curtain at online giants Yahoo, Google and Microsoft, and the elite corps committed to securing Web applications.

Pete Boden, senior director for MSN and Windows Live security, echoes the views of many longtime executives. He argues that a lot of application security problems boil down to the same fundamental source: data input; that is, what people type into an application. Tightly control what can or can't be entered--or "validate" in industry parlance--and you can eliminate the major access point for security breaches.

"If you classified Web vulnerabilities and took out all of those that are related in some form to input validation, I think you'd have a very small number of vulnerabilities left," he said. "I contend that 80 percent of the vulnerabilities that we see are input validation errors."

As a result, Boden believes that Microsoft has a leg up on the competition, having learned quickly about Web security because of its long software history and Trustworthy Computing experience. Like its main rivals, Microsoft has created tools to help developers quash bugs and test the quality of code, such as a program called Anti-XSS that finds cross-site scripting vulnerabilities.

"It wasn't as daunting here as it may have been in some other places," Boden said. "There is a ramp and a learning curve we have to climb, but I think the learning curve for us is steep because of the prior investment we've made in our response process and our security program across the company."

Still, doubts linger. This is the company, after all, that misjudged the significance of the Internet back in the mid-1990s and later underestimated the value of Internet search and digital music.

Will Microsoft get it right with Web security? There's a good chance that it will, simply because there's too much at stake for the company as business moves increasingly to the Web. Moreover, regardless of how effective Microsoft's operations are, millions of consumers and developers will maintain pressure on the company to plug security holes.

Others confronting the Web security issue aren't so sanguine. Google, for one, sees all this as foreign terrain filled with potential land mines that may not even be known yet.

Douglas Merrill, Google's vice president of engineering, says that a scatter-shot approach is often the best bet in this hazy environment. Merrill trusts his company's servers more than the Mac in his office to safeguard his personal information because Google builds more layers of security around its data centers than around individual computers.

"Obviously there are corner cases in each model that you shouldn't go to," he said. "We devote vast quantities of resources to securing the cloud."

Perhaps, but no system is foolproof. Google, Microsoft and Yahoo have all argued that they have hardened servers to withstand attacks, but e-mail worms, phishing attacks and other assaults are still routine.

That's why Yahoo's Bejar argues that more industry collaboration is needed. As an example of a successful corporate arrangement, he cites Yahoo's partnerships with eBay and PayPal, and he would like to reach out more to MSN and Google as well as other industry groups.

It isn't just Web sites and online applications that need better security, Bejar argues. Other factors, such as stronger browser security, could make a huge difference.

There's just one problem: Yahoo doesn't control the browser. "There are challenges being presented by the browser security model that we as an industry need to work on together," Bejar said.

Google is attempting to work around that problem by acquiring some technology that could make Web browsing safer. Microsoft has developed features such as the green bar in Internet Explorer 7 to indicate "trusted" Web sites, part of an initiative that also involves KDE, Mozilla, Opera Software and other browser makers.

All this is a good start, but it's mostly reactive. Security experts at the Big Three companies believe that more needs to be done at the root level of software development, starting at the university level to teach security to the incoming workforce as early as possible.

Universities should offer more courses that bridge the gap between what applications should do and what they can do--an approach to engineering that isn't widely taught today.

Simply put, Bejar says, "We need to make sure that we're on the same page."