While the apps, still in beta, promise advantages over off-the-shelf software, one aspect of these offerings causing heated discussion is the security of web-based applications. Rebecca Wettemann, a vice president of research at Nucleus Research, believes enterprises need to be concerned about Google Apps just like any other on-demand application. “An application accessed remotely isn’t any less secure than one inside an internal data center.”

Charlotte Dunlap, an enterprise security analyst with market research firm Current Analysis, emphasizes that enterprises considering the move to Google’s collaboration suite face similar security issues as any of the other SaaS products already delivered via the web. She notes that enterprises must realize that, according to protection vendors, the majority of malware is now coming from the web. That makes dealing with the increase of malware from the web a critical issue when deploying an on-demand solution.

Among the most prevalent of these web-based threats are SQL injections and cross-site scripting (XSS).

“Cross-site scripting is a big one,” says Chris Wysopal, the chief technology officer for Veracode, a developer of hosted application security analysis services. In a Web 2.0 application, “all of the data is going to be protected by authentication over the web, so if hackers can subvert that, they can access your data.”

Web 2.0 applications, such as Google’s, are also highly susceptible to JavaScript vulnerabilities, says Wysopal. And, he says, researchers are finding new classes of vulnerabilities every day.

“With the changing feature set in web browsers and in the ways people are using JavaScripts on browsers, it’s very difficult to find automated ways to check the security of Web 2.0 applications that rely on JavaScript,” he says, adding that JavaScript has become so complicated, it’s difficult to find all its vulnerabilities.

“So, you have to hope that the companies offering these services have great internal security review teams able to test these applications,” Wysopal says.

Another big risk involved with SaaS applications is what Wysopal refers to as the multi-tenancy problem, where multiple customers’ data is combined in files running on a single application platform.

“This opens the risk that a security bug in an application could allow accessing someone else’s data. It’s a whole class of problems that needs to be vetted.”

These security concerns have slowed deployments of SaaS solutions, believes John Maddison, general manager, network security systems, Trend Micro.

“The online/offline security issue is slowing the uptick of deployments,” he says.

To help combat some of the web threats facing Google Apps-type environments, vendors such as IronPort, Cybertrust and Trend Micro are delivering what Dunlap calls reputation services. These products, which are similar to those found in email solutions and firewalls at the edge of a network, determine whether a website is the real deal or a fake one put up by malicious individuals.

The reputation-based products give users a clue as to whether the websites they’re visiting are good or bad, Dunlap explains. For instance, she says Microsoft has shown demonstrations of a color-coded toolbar for the desktop providing such a service. She expects to see vendors expand their coverage to PDAs, as well as personal computers.

Google insists that its Google Apps Premier Edition applications are not Microsoft Office slayers. “We view Google Apps essentially as a communication and collaboration tool,” says Google enterprise product manager Rajen Sheth.

So while there are clearly advantages, many still question how much of a threat web-based apps are to their networks.

Yet, Google applications provide a variety of security features, says Eric Ogren, a security analyst with the Enterprise Strategy Group. For one thing, “you have to have authority to get in. Users can determine policies of who looks at a particular document, the amount of collaboration offered, and users have the flexibility to store data on their corporate laptop or have Google do it for them.”

In addition, he voices the security argument most commonly heard about SaaS solutions: “The customer’s IT department doesn’t have to maintain upgrades, so you don’t have to deal with patches with Google Apps, and that’s a nice feature.”

Google’s Sheth also points out that communication between a customers’ users and Google’s servers can be encrypted. “You can mandate that all our applications are available only through HTTPs,” he explains.

Sheth notes that Google’s own employees rely on the new applications both internally and in collaboration with customers. “We have a huge interest in keeping this protected,” he says.

Veracode’s Wysopal believes Google’s customers should take a role in ensuring the security of their data. He says it’s important for SaaS vendors to turn to a third-party for an analysis of the security vulnerabilities within their services, and to provide that documentation.

Admittedly, he has a vested interest in promoting this — Veracode offers such services. Without these safeguards, however, “enterprises miss out on the validation of the security of the software they’re using,” he says.