With the launch of Google's hosted application suite earlier this week and the ongoing beta test of Microsoft Office Live, online application delivery appears ready to challenge the desktop computing model that has dominated since the 1980s.
But like the traditional desktop environment, Web applications have security problems. Last week, more than 60 new Web application vulnerabilities were found, according to the SANS Institute's latest @RISK bulletin. Compare that to the number of vulnerabilities found last week in Windows (2), Mac OS (2), and Linux (3), Internet Explorer (2), third party Windows apps (9), or cross-platform apps (16).
"Web applications tend to be written less tightly than other applications," says Alan Paller, director of research for computer security organization at the SANS Institute, though he notes that Google's code review process is probably more rigorous than that of an average online startup. Google's apps are not among those listed in @RISK as being vulnerable.
Douglas Merrill, VP of engineering at Google, acknowledges that the programming methodology for Web apps isn't as mature as the desktop application programming model. "Anytime you have a new piece of technology, you will find more problems with it," he says.
But Merrill also says that the SANS Institute's figures don't exactly represent an apples-to-apples comparison because they don't take into account the amount of time the software has been available. "After something has been out a while, that means you shouldn't be finding as many holes in it because you've found all the early ones," he explains.