Google, Microsoft Online Apps Raise Security Questions
Google's hosted application suite Microsoft Office Live,
But like the traditional desktop environment, Web applications have security problems. Last week, more than 60 new Web application vulnerabilities were found, according to the SANS Institute's latest @RISK bulletin. Compare that to the number of vulnerabilities found last week in Windows (2), Mac OS (2), and Linux (3), Internet Explorer (2), third party Windows apps (9), or cross-platform apps (16).
"Web applications tend to be written less tightly than other applications," says Alan Paller, director of research for computer security organization at the SANS Institute, though he notes that Google's code review process is probably more rigorous than that of an average online startup. Google's apps are not among those listed in @RISK as being vulnerable.
Douglas Merrill, VP of engineering at Google, acknowledges that the programming methodology for Web apps isn't as mature as the desktop application programming model. "Anytime you have a new piece of technology, you will find more problems with it," he says.
But Merrill also says that the SANS Institute's figures don't exactly represent an apples-to-apples comparison because they don't take into account the amount of time the software has been available. "After something has been out a while, that means you shouldn't be finding as many holes in it because you've found all the early ones," he explains.
Merrill stresses that Google takes security very seriously, both to protect its users and to keep its intellectual property and internal systems—Google's secret sauce, so to speak—safe. In contrast to having a centralized security group review code before it's released, Google uses what Merrill describes as distributed system that enlists every engineer to make programs more secure. That means training every software engineer and Q&A engineer to look for security problems and to practice secure coding, and using common libraries that help avoid common security problems. It also means that code gets reviewed by another engineer whenever it gets checked in, and again during design, implementation, and launch.
"Everyone in the company feels accountability for building secure product because at the end of the day our users are what matters," Merrill says. "And providing good security is good for our users." Many companies make similar claims, though unlike a lot of Web startups, Google has the resources to practice what it preaches.
Microsoft also has considerable resources and since 2002 has been making a concerted effort to improve the security of its applications. It has made many recent security-related acquisitions and hires. Earlier this month, it hired former McAfee virus researcher Vincent Gullotto to serve as Microsoft's general manager of Security Research and Response.
Businesses, of course, worry about security at least as much as software vendors. Matt Glotzbach, head of enterprise products at Google, says people in his group regularly discuss security with business customers.
Among some corporate IT executives, Google's message that online apps aren't necessarily less secure than desktop ones appears to have been heard. Brad Friedman, VP of IT for retailer Burlington Coat Factory, uses Star/Open Office at more than 360 retail locations and says that the security issues for Web-based apps are similar to desktop programs, though different risk mitigation methodologies may be required.
"I would be no more or less likely to consider a Web application like Google's Writely over say Microsoft Word," Friedman writes via e-mail. "The point is that both need to employ a certain level of security surrounding the application that would make it 'less vulnerable.'"
As an example, Friedman observes that Microsoft Word in a desktop environment may be capable of executing macros. "One can turn off macros as a security measure but the prudent backup measure is virus protection on the desktop," he writes. "If it gets past the desktop, enterprise-level protection is the next level that should be enforced. The situation is no different for a Web-based application; it just may have different levels of exposure that need to be taken in consideration."
Others, like Kevin Jaffe, director of corporate systems for Priceline.com, take a more cautious approach even while acknowledging that the software-as-a-service model represents the future. "Our culture from the beginning has always been let somebody else jump out there first," he says.
With Web applications, "you don't have the same concentric circles of deterrent," says Jaffe. "We're not so concerned about, say, certain vulnerabilities within certain Microsoft applications because there're three or four levels of security around this company that you've got to get through to begin with."
And Jaffe believes Web applications are potentially more vulnerable because specialized, application-specific knowledge isn't as necessary. "When you start dealing with Web-based applications, you've lowered the common denominator for the typical hacker," he says.
While there's no such thing as perfect security, companies have to determine for themselves whether the possible benefits of online applications outweigh the risks.
"The advantage of Web apps is they're far easier to patch," says Merrill. "When a problem is in fact found, trying to fix it is never trivial. But it's much simpler to patch a server than it is to patch some large number of clients distributed across some large number of networks."
Paller concurs. "One huge positive is that the patching is going on in real-time," he says, "whereas most of us aren't doing that." And because patching can be such an onerous chore, he believes that many organizations will contemplate ditching PCs altogether in favor of applications delivered through a thin client. Pointing to Citrix Systems' network application delivery platform, he says, "The security guys seem to be supportive of it."
Jaffe contends that the ease of patch management online isn't that significant to organizations like his that have a patch management system in place, but he nonetheless believes that online apps represent the future. "Our feeling is that things will definitely be going in that direction as an industry because it's just easier to support," he says. "And in terms of performance, a lot of the industry is making a push for going back to a terminal-type setup on the desktop."
That may have something to do with why last week Microsoft and Citrix expanded their existing partnership to announce a new joint marketing and development plan.
That's not to say that online apps are any guarantee of secure computing. As the popularity of the software-as-a-service model grows, so too will its problems. Paller predicts an increase in Web apps attacks that attempt to exploit the protocols used by online apps, rather than exploiting holes in the applications themselves, by "piggybacking" on data sent from the Web app to the browser-based client.
But because the desktop model really isn't any better, and is in some ways worse, Paller predicts businesses will overcome their reservations about hosted software. "Security will drive people to centralized applications," he says.