Improving Security by Default

by Dr Nick

Security by Default

The opening Keynote by Parisa Tabriz | Director of Engineering, Google: Optimistic Dissatisfaction with the Status Quo: Steps We Must Take to Improve Security in Complex Landscapes covered the journey taken by Google to bring the status of browsing into the Security age. It was sobering to see that a company like Google with the resources available started this journey in 2014 and only now starting to see significant progress – 4 years so far. Their path, like so many others, was a series of incremental steps to improvement and change


Security, as described by Parisa, is much like the Wacka-Mole game

The biggest round of applause came when she stated:



But the biggest round of applause came when Parisa stated:

Blockchain is not going to solve all your security problems

Clearly not a lot of support for Blockchain in the BlackHat audience….. yet?

From the journey taken to securing the Chrome browser the key learning boiled down to three elements

  1. Tackle the Root Cause
  2. Project Zero (disrupt the industry)
  3. More Transparency and Collaboration – shared security goals



Ultimately it is hacking the status quo and bureaucracy is achieved through Incremental steps that challenge the status quo. For those that don’t remember the concept of bug bounties was controversial initially now it is the gold standard
Also, Auto updates of security patches were controversial now not so much

Interesting slide of the different presentation of “secured” site in chrome

Chrome Connection Indicators circa 2014

In their survey, most users perceived the second choice as normal and secure. Over time they have moved the security indicators bringing along a large consortium of people along the way

Rethinking the Security Indicators

And in bringing together experts Parisa highlighted something I have long advocated in Engineering healthcare technology – the people creating and experts in the technology are rarely the right people to optimize usability – as she put it

Security people are rarely the right people to ask about usability in security interactions/interfaces


“Be a team player, don’t be a jerk”

Also noted that Google Page Rank used as an influencer


Incremental Steps to Security

At the press conference afterward what one incremental step should you take in securing your enterprise:

Getting everyone pulling in the same direction is a key requirement

Focus on finding the incentive and/or ROI for the people who are responsible for security

Everyone has too much on their plate – what is required is allowing people to focus on the security as a priority over all the other tasks on their to-do lists. This was true with project zero and with the https push (remember this took from 2104 to 2018)

I will leave you with this as a closing thought

A Product that has no security flaws/bugs probably just doesn’t know about them


You can also follow me here on medium, on twitter, or on facebook or Sign up to receive my posts each week

Leave a comment



This site uses Akismet to reduce spam. Learn how your comment data is processed.