Top woman Google security team: stop putting out ‘security fires’

At the annual Black Hat security show in Las Vegas, Parisa Tabriz, who leads, among other things, Google’s Project Zero team, opened with the message that solving isolated “security fires” is going nowhere and that change takes a specific approach. .

Tabriz is best known inside and outside Google as a security princess, but is the official director of engineering and the manager of the Project Zero team, which searches for vulnerabilities in software from Google, but also from other organizations. She started her keynote by saying that she feels like she’s in a real-life version of whac-a-mole, where individual problems are solved as soon as they arise. That approach doesn’t work, she says, which is a problem “as computer security is slowly becoming the security of the whole world.” Instead, she proposes a three-part approach.

The first part aims to tackle the root cause of a problem rather than just developing ‘isolated solutions’. “One of the ways to do that is to keep asking ‘why’,” Tabriz said. “Take the example of an rce vulnerability in a certain product. Then ask why this vulnerability was not discovered earlier and why this type of vulnerability was not tested. Why does it take so long to update and why does it take five weeks to test that update? If you ask those questions, you can make structural changes.”

When speaking of change, she cites the example of the 90-day deadline used by Project Zero. This is not always appreciated by organizations that have to remedy vulnerabilities within that time. Tabriz says, “This term hurts in the short term for companies that need to make structural changes, but it does lead to change in the end.” For example, companies would now offer less resistance and invest more in security measures. Meanwhile, 98 percent of the leaks reported by the team would be solved within the period of 90 days.

The second part is handling milestones and celebrating achievement. She cites the gradual adoption of https, which she attributes in part to Chrome’s handling of encrypted and unencrypted connections. “In 2014 there was already a proposal to mark http sites as unsafe, but that was almost immediately rejected,” says Tabriz. Then the Chrome team worked on figuring out ui changes that would eventually lead to that change after all. That happened recently with the release of Chrome 68. In the meantime, Google took several steps in the process towards it. “Those milestones were a reminder that something was about to change and provided clear deadlines,” Tabriz says. “Let’s Encrypt also played a fundamental role in this.”

The last part is building coalitions to push through change. In addition, Tabriz discusses the example of the introduction of site isolation in Chrome, which she describes as one of the most fundamental changes in Google’s browser. Work on that feature began in 2012 and was expected to take a year to implement. In the end it took six years; Google recently announced that the feature is active for almost all Chrome users. “If a project takes longer than planned, it makes you a target for management,” Tabriz says. “The project could also have come to an end due to lack of support from the rest of the Chrome team.

For example, the ten people who worked on site isolation had to convince other Chrome teams to make drastic changes.” She mentions the example that the ctrl+f function suddenly changed from a simple for loop to a “distributed systems problem”. such a change would only be possible by communicating it in an understandable way to the people who will ultimately have to implement the changes.Site isolation ultimately proved to be the right move when it turned out that the feature could also be used to protect against Specter browser attacks.Tabriz concluded her keynote by saying that despite everything she sees the future positively and that she believes that structural changes are possible.