Solving the Web security challenge

Solving = the Web security challenge

By Mike Ricciuti and Joris Evers
Staff writers, CNET News.com June 28, 2007, 4:00 AM PDT

Editors'= note: This is part four of a four-day series examining the state and future of Web security<= /span>.

The Web, for better or worse, has arguably become the equiva= lent of a massive public agency. It is the repository for consumer information and services of the most sensitive and important nature, ranging from medical r= ecords to financial investments.=

Web-based services are supplanting traditi<= st1:PersonName w:st=3D"on">onal desktop software at a blinding pace, t= aking over terabytes of personal data in the process. Unlimited e-mail storage and Web 2.0-style start-ups will accelerate that trend even more.

Yet access to those massive and indispensable reso= urces is generally gated by a handful of large, profit-driven corporations. <= span style=3D'color:#0048C0;text-decoration:none;text-underline:none'>Microsoft<= /span>, Google, Yahoo, America Online and other leadi= ng companies have largely built the services that = much of the world has come to rely on in everyday life--maki= ng them, in effect, the guardians of our most sensitive information.

Which raises an obvious question: Is that a good idea? The most disturbing answer, if= history is any guide, is that we may not have much of a choice.

It's disturbing on many levels, but= mostly because the industry is basically making= up Web security as it goes along. As security executives from Microsoft, Go= ogle and Yahoo attest, the companies are in m= any cases adapting standard desktop security techniques to new Web applications. Sometimes that works; sometimes it doesn't.

"Data is now available online, all the time," said Billy Hoffman, lead researcher at Web security specia= list SPI Dynamics. "It's a great big target."

Hoffman's job is to understand where Web sec= urity breaks down. The way he sees i= t, the Big Three Web properties are doing a fairly good job with security, at least on the server end = of the equation. The wild card is= what happens to that data once it leaves the Googleplex, travels across the network, and gets cached on users' desktops.

Since 1999, more than 90 percent of all documents have been produced digitally; = more than 42 percent of all U.S. Internet users have Web-based banking services; and more than 160 billi= on e-mail messages are sent daily, according to computer services firm CSC and other s<= st1:PersonName w:st=3D"on">ources. As the data piles up, it becomes harder to secure bits flowing between se= rvers and desktop Web applications, not to mention the additional complexity of mashups and other Web 2.0 technologies. Simultaneo<= /st1:PersonName>usly, attacks ar= e on the rise.

The bottom line is that we're entering unexplored territory where an unprecedent= ed number of people depend on a growing number of relatively new appli= cations, some built with still-evolving tech= nologies, to handle enormous amounts of personal data fragmented across a multiplicity of servers and ne= tworks worldwide. Against this daunting backdrop= --and amid concerns over corporate control--calls for some kind of independent oversight are inevitable.

"We have information on security practices out there. The disconnect is that we don't have an inter= mediary that says how these things app= ly to you as you build Web 2.0 or other applications," Hoffman said. "Will a nonprofit or some other group arise that tries to publish standards? Probably. We definitely need a central cl= earing house of go= od information, because there is a lot of bad information out there."

Even some executives at the companies that now control the bulk of Web security say m= ore industry cooperation is needed.

"Security is in the best interest of the= whole industry," said Arturo Bejar, the "Chief Paranoid Yahoo." "We're evaluating ways to= share either knowledge or tools to give back to the community."

A seemingly obvious course to pursue, short of government intervention, would be some form of industry-wide cooperation ostensibly designed to avoid the development of a monopoly or cartel. That approach, though, is easier said than d<= st1:PersonName w:st=3D"on">one: it's been tried many times before with other digital technologies, only to end up in disarray or under the de facto control of a principal stakeholder or group of interested parties.

In a word, think Windows. More than a decade of litigation= and untold millions in taxpayer mo= ney has done little to loosen Microsoft's control over the operating system that more than 90 percent of the world's personal computer users rely on daily.

In the early days of the Web, a n= onprofit agency called the World Wide Web Consortium<= /a> was born of the altruistic notion that all interested parties could cooperate and compromise as needed fo= r the good of the medium. The so-called W3C has d= one much good in defining Web standards where none existed and by serving as a trusted authority in the Internet's Wild West beginnings. At the same time, much of the W3C's activity is focused on standards defined by the ve= ry companies that in many instances most benefit from their creation.

The W3C probably isn't the right <= st1:PersonName w:st=3D"on">organization to be charged with Web securit= y oversight anyway because it essentially define= s tools used by others. Security breaches u= sually involve how those technologies are used, no= t necessarily the tools themselves.

"Standard bodies should focus on making very clear standards that set good baselines," Hoffman said. "The worst thing in= the world that a standard can do is to be ambiguous, and there are a number of standards out there that are a= mbiguous."

Other organizations, like the Web Application Security Consorti= um, are attempting to define the m= ost secure ways to= develop applications. In addition, Web developers throughout the industry are sharing more research and security "best practices" through sites like XSSed.org<= /span>, which publishes information on new cross-site scripting vulnerabi= lities and how to fix them.

But such efforts can go only so far. The Web giants have built out their properties over the years despite securit= y problems, and new bugs continue to arise almost daily. Microsoft, for example, came late to Web security--and to digital security in general. Until well into the 1990s, security was largely an afterthought in Windows, which was not designed with persistent network connectivity in mind.

Once it fully understood the issue's imp= ortance, however, Microsoft poured billions of dollars into the protection of client and server software. That effo= rt has been expanded to include W= eb security as the company has m<= st1:PersonName w:st=3D"on">oved more deeply into Web services with = its "live" initiative--Microsoft's marketing-speak for its new online properties--which includes Windows= Live, the online complement to software on the PC's hard drive.

It's understandable why Microsoft would think it knows best how to address a problem as big as Web security. Not only is it the world's largest software company, but many veterans there believe they have seen it all years before. Back then, they say, it was called deskt<= st1:PersonName w:st=3D"on">op security.

"If you classified Web vulnerabili= ties and took out all of those that are related in some form to input validation, I think you'd have a very small number of vulnerabilities left," he said. "I co= ntend that 80 percent of the vulnerabilities that we see are input validatio= n errors."

As a result, Boden believes that Microsoft has a leg up o= n the competition, having learned quickly about W= eb security because of its long software history and Trustwo= rthy Computing experience. Like its main rivals, Microsoft has created tools to help developers quash bugs and test the quality of code, such as a pro= gram called Anti-XSS that finds cro= ss-site scripting vulnerabilities.

"It wasn't as daunting here as it may have been in some other places," Boden sa= id. "There is a ramp and a learning curve we have to climb, but I think the learning curve for us is steep because of the pri= or investment we've made in our response process and our security program across the company."<= /span>

Still, doubts linger. This is the company, after all, that misjudged the = signifi= cance of the Internet back in the mid-1990s and later underestimated t= he value of Internet search and d= igital music.

Will Microsoft get it right with Web security? There's a good chance that it will, simply because there's= too much at stake for the company as business moves increasingly to the Web. Moreover, regardless of how effective Micro= soft's operations are, millions of consumers and developers will maintain pressure on the company to plug security holes.

Others confronting the Web security issue aren't so sanguine. Google, for one, sees all this as foreign terra= in filled with potential land min= es that may not even be known yet.

ot approach is often the best bet in this hazy environment. Merrill trusts his company's s= ervers more than the Mac in his office to safeguard his personal information because Google builds more layers of security around its data centers than around individual computers.

"Obviously there are co= rner cases in each model that you shouldn't go to," he said. "We devote vast quantities of resources to securing the cloud."=

Perhaps, but no system is foolproof. Google, Microsoft and Yahoo have all argued that they have hardened servers to withstand attacks, but e-mail worms, phishing attacks and other assaults are still routine.

That's why Yahoo's Bejar argues that m= ore industry collaboration is needed. As an example of a successful corporate arrangement, he cites Yahoo's partnerships with eBay and PayPal, and he would like to reach out more to MSN and Google as well as o<= /st1:PersonName>ther industry groups.

It isn't just Web sites and online applications that need better security, Bejar argues. Other factors, such as stro<= /st1:PersonName>nger browser security, could make a huge difference.=

There's just one problem: Yahoo doesn't control the browser. "There are challenges being presented by the browser security model that we as an industry need to work on together," Bejar said.

Google is attempting to work around that problem by acquiring some technology<= /a> that could make Web browsing safer. Micr= osoft has develop= ed features such as the green bar in Internet Explorer 7 to indicate "trusted" Web sites, part o<= /st1:PersonName>f an initiative that also involves KDE, Mozilla, Opera Software and other browser makers.

All this is a good start, but it's mostly reactiv= e. Security experts at the Big Three companies believe that more needs to be done at the root level of software development, starting at the university level to teach secu= rity to the incoming workforce as early as possible.

Universities should offer more courses that bridge the gap between what applications should do and what they can do--an appr<= st1:PersonName w:st=3D"on">oach to engineering that isn't widely taught today.

Simply put, Bejar says, "We need to make sure that we're on the same page."