Google’s famous “Don’t be evil” motto got a corollary this week at Black Hat from Parisa Tabriz, director of engineering for the company’s Project Zero: “Do things better.”
“We have a responsibility to do things better. Computer security is becoming the security of the world,” she said during her Wednesday morning keynote in Mandalay Bay’s cavernous Events Center, after an intro complete with sweeping spotlights, smoke, ear-piercing music, and her image displayed on three jumbotrons.
Tabriz offered yet another catchy explanation: “We have to stop playing whack-a-mole and be strategic. It’s frustrating when we see bugs that we know about but just haven’t addressed.”
We can be strategic, she said, by following three principles.
Don’t be satisfied with isolated fixes, she said. Instead, address the root causes of issues that arise. Doing so requires asking the “Five Whys.” For example:
Doing that over time, she said, can change the internet ecosystem.
Among the strategic things her team was able to do by tackling root causes was to improve response and patch times for vulnerabilities. “We found that vendor response time to fixing things varied widely,” she said, “because they didn’t always have incentives to improve security.”
So Project Zero established a 90-day disclosure policy—the amount of time they give a company to fix a vulnerability before they make it public.
“It causes short-term pain for large organizations, and we got a lot of pushback,” she said. “But it resulted in innovation in technology that hadn’t been happening previously. And we began to see improved vulnerability response.”
She didn’t name vendors but said one doubled the number of security updates it released yearly. Another improved patch response time by as much as 40%. And she said the “deadline-driven approach” resulted in 98% of vulnerabilities being fixed within the 90-day window.
Another of her team’s initiatives was to “shift the world”—as in the World Wide Web—from HTTP to HTTPS by default. The results of that effort also show in the numbers: Tabriz said HTTPS adoption on Chrome for desktops has risen from 45% to 87%, and on Android from 29% to 77%.
Those milestones, she said, need to be celebrated, which aligned with her second principle: Pick milestones and celebrate them. She said in the case of her team, celebrating included small rewards like cakes, pies, and poetry readings.
But, she said, “rewards and parties aren’t enough. You need purpose to drive people. And I can think of few greater missions than keeping people safe.”
There was a bit of irony in that remark, since reports earlier that day revealed that Google is seeking a patent to enhance its facial recognition program using social media profiles. Or as TNW put it, “creeping on your social media profile.” At the moment, the proposed technology is just part of a patent application and not working software. But privacy advocates worry that this kind of data could make its way into the hands of law enforcement.
But that wasn’t part of Tabriz’s presentation.
Tabriz’s third principle is to form coalitions to cooperate on improving security: “Get people outside your security team invested in your success.”
She said the benefits of all projects might not be apparent immediately. But she noted that work to improve Chrome’s architecture that began in 2012 and involved site isolation “gave us a huge head start on Spectre,” which hardware vendors learned about in mid-2017. Spectre is a vulnerability in CPUs that enables side-channel attacks by exploiting speculative execution. Variants of the flaw also affect browsers but can be mitigated with site isolation.
“To make a project like this work at scale, you need many different champions,” she said, adding that if coalitions are going to work, “you have to be a good team player.”
“Don’t be a jerk,” she said, “which is probably good life advice.”
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.