Google’s ‘Security Princess’ calls for stronger collaboration

LAS VEGAS—”The blockchain is not going to solve all our problems,” Parisa Tabriz, Google’s head of security for the Chrome browser and leader of the Project Zero security vulnerability-hunting team, told an audience of more than 6,000 to kick off the Black Hat conference here.

Tabriz, also known by the title printed on her business cards, “Security Princess,” argued that to protect consumers and solve the latest threats, members of the security industry need more than the latest technology. They need to work better together.

“We have to be more ambitious, more strategic, and more collaborative in our approach to defense,” she said, citing two security projects Google initially took on unilaterally that over time have forced behavioral shifts in the broader tech community. “The status quo isn’t sufficient.”



READ MORE ON GOOGLE AND SECURITY

Primer: Why Google is pushing HTTPS
Fragmentation likely to hinder Android P’s security chops
With .app, Google plans to build a safer Web
Google Play is an ‘order of magnitude’ better at blocking malware
How to attack security issues like Google and Microsoft just did
Parallax Primer: Why are Androids less secure than iPhones?


Tabriz’s argument—that a major player like Google can make independent decisions to influence the industry, then work with industry partners (including competitors) to ensure that the changes it has initiated are broadly adopted—may have irked some audience members. But it also seems to be a fair description of reality. Certainly, judging by the applause that she received, her words resonated with the crowd.

Google’s multiyear project to force the majority of Web traffic to upgrade from insecure HTTP to the encrypted HTTPS started with a bug ticket Tabriz’s team filed with Chrome developers—one that got rejected, she said. But her team didn’t give up, and it eventually was able to get enough internal support for the initiative to seek help from others.

Mozilla backed the initiative in 2015 by providing supporting research to phase out support for non-secure HTTP in Chrome competitor Firefox. The Electronic Frontier Foundation (and others) helped by sponsoring the Let’s Encrypt project, which focuses on dramatically reducing the monetary cost of obtaining an encryption certificate. And cloud-hosting companies like Cloudflare and certificate authorities helped by encouraged adoption of HTTPS certificates and supported the increase in HTTPS traffic.

“Dozens of privacy and security advocates around the world,” meanwhile, worked to spread the word, Tabriz said. (If you’re still looking to add an HTTPS certificate to your site, security expert Troy Hunt has a comprehensive, step-by-step guide on how to do it.)

“A number of different vendors can make that first move, and they have to have the influence to make people pay attention. I’m really proud that Google has done that. I don’t think we would’ve been able to do this by ourselves.”—Parisa Tabriz, Chrome security and Project Zero lead, Google

While Google’s strong embrace of HTTPS—and rejection of HTTP—upset a few SEO experts and raised questions about how secure its protocol actually is, the initiative is now widely accepted as a security and privacy victory. And as Tabriz explained, Google’s far more controversial Project Zero security initiative wouldn’t have been successful without industry collaboration.

Project Zero encourages tech companies to address security vulnerabilities faster by notifying them when one has been discovered in their software, and giving them 90 days to fix it. If it’s not fixed within that time frame, Project Zero publicizes the vulnerability.

Tabriz said Project Zero has brought remarkable changes to the tech industry. When it launched four years ago, only 25 percent of known vulnerabilities were fixed within 90 days, she said. Today, that figure has shot up to 98 percent. The Project Zero team has discovered more than 1,400 security vulnerabilities during that period.

But Project Zero has stepped on toes to get to where it is—and it’s arguably broken a few too. It has disclosed vulnerabilities that targeted companies had told Google they were still working to patch, or without adequate protections in place for consumers—leaving zero-day vulnerabilities exposed to hackers.

Google was also an early adopter of publicly publishing vulnerability reports and offering bug bounties, which used to raise fears of incentivizing the “wrong” practice in hackers.

“Now [publishing vulnerability reports is] considered an industry best practice,” she says. Tech companies were also originally opposed to automatic software updates, a key feature of Chrome since its introduction in 2008. Now all the major browsers have incorporated auto-updates, removing “user choice” from the security-update process.

“By being that 800-pound gorilla, Google is able to set the standard.”—Chris Wysopal, chief technology officer, Veracode

Following her keynote address, Tabriz told The Parallax that she’s proud of how Google’s security teams “have led the industry.” And leadership means playing well with others.

“A number of different vendors can make that first move, and they have to have the influence to make people pay attention. I’m really proud that Google has done that. I don’t think we would’ve been able to do this by ourselves,” she says. “Project Zero is really interested in collaborating with Apple, Microsoft, hardware vendors, Intel because we genuinely want to make defense better.”

Microsoft declined to comment. Apple and Intel did not respond to requests for comment.

Computer security has significantly improved since powerful players like Google started making big decisions and collaboratively forcing them through, says Chris Wysopal, chief technology officer at Veracode, who has been observing industry changes since his 1990s involvement in the hacker collective L0pht Heavy Industries.

“Full disclosure of vulnerabilities started at the L0pht to make sure that people knew their software had security holes. It’s evolved so that now vendors don’t want their bugs found in public,” he says. “By being that 800-pound gorilla, Google is able to set the standard.”

Wysopal says collaboration within companies like Google—among their various departments—is also vital to the improvement of security practices. Security experts like Tabriz, he says, need to feel that they are working with, not against, their colleagues in engineering, user interface design, and other parts of the company.

“She can’t force them to work together,” he says. “From manager to manager, security engineer to developer, security has to work with the rest of the organization.”

Tabriz recalled that the decision to upgrade Web traffic to HTTPS was initially controversial even within the Chrome security team, but a haiku-brainstorming session helped win over dissenters. She broke her charges into teams, each of which was assigned with coming up with a haiku to describe how HTTPS works. She ended the keynote by sharing one of the poems:

Secrets in the tubes.

People in the middle snoop.

Protect with crypto.

Update, August 10 at 7:55 a.m. PST: Added response from Microsoft.