[ISN] Solving the Web security challenge

From: InfoSec News (alerts@private)
Date: Thu Jun 28 2007 - 22:19:37 PDT


http://news.com.com/Solving+the+Web+security+challenge/2009-1002_3-6189437.html

By Mike Ricciuti and Joris Evers
Staff writers, CNET News.com
June 28, 2007

The Web, for better or worse, has arguably become the equivalent of a 
massive public agency. It is the repository for consumer information and 
services of the most sensitive and important nature, ranging from 
medical records to financial investments.

Web-based services are supplanting traditional desktop software at a 
blinding pace, taking over terabytes of personal data in the process. 
Unlimited e-mail storage and Web 2.0-style start-ups will accelerate 
that trend even more.

Yet access to those massive and indispensable resources is generally 
gated by a handful of large, profit-driven corporations. Microsoft, 
Google, Yahoo, America Online and other leading companies have largely 
built the services that much of the world has come to rely on in 
everyday life--making them, in effect, the guardians of our most 
sensitive information.

Which raises an obvious question: Is that a good idea? The most 
disturbing answer, if history is any guide, is that we may not have much 
of a choice.

It's disturbing on many levels, but mostly because the industry is 
basically making up Web security as it goes along. As security 
executives from Microsoft, Google and Yahoo attest, the companies are in 
many cases adapting standard desktop security techniques to new Web 
applications. Sometimes that works; sometimes it doesn't.

"Data is now available online, all the time," said Billy Hoffman, lead 
researcher at Web security specialist SPI Dynamics. "It's a great big 
target."

Hoffman's job is to understand where Web security breaks down. The way 
he sees it, the Big Three Web properties are doing a fairly good job 
with security, at least on the server end of the equation. The wild card 
is what happens to that data once it leaves the Googleplex, travels 
across the network, and gets cached on users' desktops.

Since 1999, more than 90 percent of all documents have been produced 
digitally; more than 42 percent of all U.S. Internet users have 
Web-based banking services; and more than 160 billion e-mail messages 
are sent daily, according to computer services firm CSC and other 
sources. As the data piles up, it becomes harder to secure bits flowing 
between servers and desktop Web applications, not to mention the 
additional complexity of mashups and other Web 2.0 technologies. 
Simultaneously, attacks are on the rise.

The bottom line is that we're entering unexplored territory where an 
unprecedented number of people depend on a growing number of relatively 
new applications, some built with still-evolving technologies, to handle 
enormous amounts of personal data fragmented across a multiplicity of 
servers and networks worldwide. Against this daunting backdrop--and amid 
concerns over corporate control--calls for some kind of independent 
oversight are inevitable.

"We have information on security practices out there. The disconnect is 
that we don't have an intermediary that says how these things apply to 
you as you build Web 2.0 or other applications," Hoffman said. "Will a 
nonprofit or some other group arise that tries to publish standards? 
Probably. We definitely need a central clearing house of good 
information, because there is a lot of bad information out there."

Even some executives at the companies that now control the bulk of Web 
security say more industry cooperation is needed.

"Security is in the best interest of the whole industry," said Arturo 
Bejar, the "Chief Paranoid Yahoo." "We're evaluating ways to share 
either knowledge or tools to give back to the community."

A seemingly obvious course to pursue, short of government intervention, 
would be some form of industry-wide cooperation ostensibly designed to 
avoid the development of a monopoly or cartel. That approach, though, is 
easier said than done: it's been tried many times before with other 
digital technologies, only to end up in disarray or under the de facto 
control of a principal stakeholder or group of interested parties.

In a word, think Windows. More than a decade of litigation and untold 
millions in taxpayer money has done little to loosen Microsoft's control 
over the operating system that more than 90 percent of the world's 
personal computer users rely on daily.

In the early days of the Web, a nonprofit agency called the World Wide 
Web Consortium was born of the altruistic notion that all interested 
parties could cooperate and compromise as needed for the good of the 
medium. The so-called W3C has done much good in defining Web standards 
where none existed and by serving as a trusted authority in the 
Internet's Wild West beginnings. At the same time, much of the W3C's 
activity is focused on standards defined by the very companies that in 
many instances most benefit from their creation.

The W3C probably isn't the right organization to be charged with Web 
security oversight anyway because it essentially defines tools used by 
others. Security breaches usually involve how those technologies are 
used, not necessarily the tools themselves.

"Standard bodies should focus on making very clear standards that set 
good baselines," Hoffman said. "The worst thing in the world that a 
standard can do is to be ambiguous, and there are a number of standards 
out there that are ambiguous."

Other organizations, like the Web Application Security Consortium, are 
attempting to define the most secure ways to develop applications. In 
addition, Web developers throughout the industry are sharing more 
research and security "best practices" through sites like XSSed.org, 
which publishes information on new cross-site scripting vulnerabilities 
and how to fix them.

But such efforts can go only so far. The Web giants have built out their 
properties over the years despite security problems, and new bugs 
continue to arise almost daily.

Microsoft, for example, came late to Web security--and to digital 
security in general. Until well into the 1990s, security was largely an 
afterthought in Windows, which was not designed with persistent network 
connectivity in mind.

Once it fully understood the issue's importance, however, Microsoft 
poured billions of dollars into the protection of client and server 
software. That effort has been expanded to include Web security as the 
company has moved more deeply into Web services with its "live" 
initiative--Microsoft's marketing-speak for its new online 
properties--which includes Windows Live, the online complement to 
software on the PC's hard drive.

It's understandable why Microsoft would think it knows best how to 
address a problem as big as Web security. Not only is it the world's 
largest software company, but many veterans there believe they have seen 
it all years before. Back then, they say, it was called desktop 
security.

Pete Boden, senior director for MSN and Windows Live security, echoes 
the views of many longtime executives. He argues that a lot of 
application security problems boil down to the same fundamental source: 
data input; that is, what people type into an application. Tightly 
control what can or can't be entered--or "validate" in industry 
parlance--and you can eliminate the major access point for security 
breaches.

"If you classified Web vulnerabilities and took out all of those that 
are related in some form to input validation, I think you'd have a very 
small number of vulnerabilities left," he said. "I contend that 80 
percent of the vulnerabilities that we see are input validation errors."

As a result, Boden believes that Microsoft has a leg up on the 
competition, having learned quickly about Web security because of its 
long software history and Trustworthy Computing experience. Like its 
main rivals, Microsoft has created tools to help developers quash bugs 
and test the quality of code, such as a program called Anti-XSS that 
finds cross-site scripting vulnerabilities.

"It wasn't as daunting here as it may have been in some other places," 
Boden said. "There is a ramp and a learning curve we have to climb, but 
I think the learning curve for us is steep because of the prior 
investment we've made in our response process and our security program 
across the company."

Still, doubts linger. This is the company, after all, that misjudged the 
significance of the Internet back in the mid-1990s and later 
underestimated the value of Internet search and digital music.

Will Microsoft get it right with Web security? There's a good chance 
that it will, simply because there's too much at stake for the company 
as business moves increasingly to the Web. Moreover, regardless of how 
effective Microsoft's operations are, millions of consumers and 
developers will maintain pressure on the company to plug security holes.

Others confronting the Web security issue aren't so sanguine. Google, 
for one, sees all this as foreign terrain filled with potential land 
mines that may not even be known yet.

Douglas Merrill, Google's vice president of engineering, says that a 
scatter-shot approach is often the best bet in this hazy environment. 
Merrill trusts his company's servers more than the Mac in his office to 
safeguard his personal information because Google builds more layers of 
security around its data centers than around individual computers.

"Obviously there are corner cases in each model that you shouldn't go 
to," he said. "We devote vast quantities of resources to securing the 
cloud."

Perhaps, but no system is foolproof. Google, Microsoft and Yahoo have 
all argued that they have hardened servers to withstand attacks, but 
e-mail worms, phishing attacks and other assaults are still routine.

That's why Yahoo's Bejar argues that more industry collaboration is 
needed. As an example of a successful corporate arrangement, he cites 
Yahoo's partnerships with eBay and PayPal, and he would like to reach 
out more to MSN and Google as well as other industry groups.

It isn't just Web sites and online applications that need better 
security, Bejar argues. Other factors, such as stronger browser 
security, could make a huge difference.

There's just one problem: Yahoo doesn't control the browser. "There are 
challenges being presented by the browser security model that we as an 
industry need to work on together," Bejar said.

Google is attempting to work around that problem by acquiring some 
technology that could make Web browsing safer. Microsoft has developed 
features such as the green bar in Internet Explorer 7 to indicate 
"trusted" Web sites, part of an initiative that also involves KDE, 
Mozilla, Opera Software and other browser makers.

All this is a good start, but it's mostly reactive. Security experts at 
the Big Three companies believe that more needs to be done at the root 
level of software development, starting at the university level to teach 
security to the incoming workforce as early as possible.

Universities should offer more courses that bridge the gap between what 
applications should do and what they can do--an approach to engineering 
that isn't widely taught today.

Simply put, Bejar says, "We need to make sure that we're on the same 
page."


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Thu Jun 28 2007 - 22:30:59 PDT