During the start of this year's Black Hat USA conference in Las Vegas, Director of Engineering and head of Project Zero at Google, Parisa Tabriz shared her insights from working on the search giant's bug-hunting team and the push to label non-HTTPS websites as insecure.
Tabriz explained how difficult it was to keep her team motivated while working to secure code and protect systems while leading Project Zero. She stressed the need to celebrate successes regularly as a means of encouraging her staff to continue to get things done.
During her speech, Tabriz also cautioned the audience to avoid being distracted by fads such as blockchain, saying:
“Blockchain is not going to solve security problems. We have made great strides in the past decade, but the threat landscape is becoming increasingly complex and our current approach is insufficient.”
To further emphasize her point, Tabriz discussed Google's four-year project to have its Chrome browser label non-HTTPS sites as insecure. Although there was a great deal of pushback when the project was first announced, the team was able to make it a reality by setting out clear goals and working together to get management to buy into the idea.
Tabriz also noted how setting firm and clearly defined deadlines has been instrumental to Project Zero's success. Project Zero has consistently enforced a 90-day disclosure rule in which it publicly discloses the details of a vulnerability exactly three months after it first informs a vendor of a vulnerability. This has led to faster security bug fixes across the industry and has caused a shift from the long delays for patches of the past.
For those looking to learn more, Tabriz's hour-long keynote is available to watch and it offers a rare glimpse at how Google operates internally.
Image Credit: Zapp2Photo / Shutterstock