Security by Default
The opening Keynote by Parisa Tabriz | Director of Engineering, Google: Optimistic Dissatisfaction with the Status Quo: Steps We Must Take to Improve Security in Complex Landscapes covered the journey taken by Google to bring the status of browsing into the Security age. It was sobering to see that a company like Google with the resources available started this journey in 2014 and only now starting to see significant progress – 4 years so far. Their path, like so many others, was a series of incremental steps to improvement and change
Wacka-Mole
Security, as described by Parisa, is much like the Wacka-Mole game
The biggest round of applause came when she stated:
“Bl
But the biggest round of applause came when Parisa stated:
Blockchain is not going to solve all your security problems
Google's Parisa Tabriz @ BlackHat2018 says security is like Whack-a-Mole and #Blockchain won't solve all security problems pic.twitter.com/3Wluw3oqz9
— tom spring (@zpring) August 8, 2018
Clearly not a lot of support for Blockchain in the BlackHat audience….. yet?
From the journey taken to securing the Chrome browser the key learning boiled down to three elements
- Tackle the Root Cause
- Project Zero (disrupt the industry)
- More Transparency and Collaboration – shared security goals
Three ways we can improve security & stop playing whack-a-mole (also, blockchain will not solve all of our problems). Parisa Tabriz of Google #Blackhat18 pic.twitter.com/36StBR4bAI
— Duo Security (@duosec) August 8, 2018
Ultimately it is hacking the status quo and bureaucracy is achieved through Incremental steps that challenge the status quo. For those that don’t remember the concept of bug bounties was controversial initially now it is the gold standard
Also, Auto updates of security patches were controversial now not so much
Interesting slide of the different presentation of “secured” site in chrome
Chrome Connection Indicators circa 2014
In their survey, most users perceived the second choice as normal and secure. Over time they have moved the security indicators bringing along a large consortium of people along the way
Rethinking the Security Indicators
And in bringing together experts Parisa highlighted something I have long advocated in Engineering healthcare technology – the people creating and experts in the technology are rarely the right people to optimize usability – as she put it
Security people are rarely the right people to ask about usability in security interactions/interfaces
“Be a team player, don’t be a jerk”
Also noted that Google Page Rank used as an influencer
Incremental Steps to Security
At the press conference afterward what one incremental step should you take in securing your enterprise:
Getting everyone pulling in the same direction is a key requirement
Focus on finding the incentive and/or ROI for the people who are responsible for security
Everyone has too much on their plate – what is required is allowing people to focus on the security as a priority over all the other tasks on their to-do lists. This was true with project zero and with the https push (remember this took from 2104 to 2018)
Security engineers at Google first tried to change HTTP UI in 2104. They did it in 2018. Things take time. If you’re having a hard time advancing your ideas, don’t give up. Keep fighting the good fight. Progress takes time. #BlackHat2018
— Adam Lewis (@lewiada) August 8, 2018
I will leave you with this as a closing thought
A Product that has no security flaws/bugs probably just doesn’t know about them
