Black Hat Parisa Tabriz, a director of engineering at Google and head of the web giant's Project Zero bug-hunting squad, today opened this year's Black Hat USA conference with a reminder that partying is key to securing software.
There’s more to it than that, of course: clear goals and targets have to be set, management and staff have to be in agreement and reading from the same page, and the root causes of bugs need to be identified and addressed rather than sticking plaster slapped over holes.
Writing secure code and protecting systems is an arduous task, so employees need to stay motivated – and celebrating successes regularly, with a little party or two, encourages folks to get things done.
Oh, and don't be distracted by fads like blockchain databases...
“Blockchain is not going to solve security problems,” she told the crowd, much to the chagrin of vendors who have signs up in the expo hall proclaiming the opposite. “We have made great strides in the past decade, but the threat landscape is becoming increasingly complex and our current approach is insufficient.”
By way of example, she discussed Google's four-year project, completed in July, to have Chrome label non-HTTPS webpages as insecure. There was significant pushback when the naming'n'shaming move was proposed, however, by setting out clear goals and working to get management to buy into it, the project was launched.
The Googlers working on the move even held a poetry slam to write haikus describing where they wanted to go, including this gem:
Secrets in the tubes People in the middle snoop Protect with crypto
By 2015, a section detailing the push was added to and developed on the Chromium wiki. This was used to push the case to management to make the switch. Each milestone was celebrated within the team, sometimes as simple as baking a cake and having a bit of a party.
Security world to hit Las Vegas for a week of hacking, cracking, funREAD MORE
Another key to success is setting firm and clearly defined deadlines. Project Zero has come in for some flak for enforcing a 90-day disclosure rule: no more than three months after the vendor has been notified of a vulnerability in its product or project, Google will go public with the details.
There are exceptions, notably with the computer processor world's Spectre and Meltdown flaws – which involved six months of behind-the-scenes work – however, in general the rules have encouraged the industry to speed up the issuing of security bug fixes, Tabriz opined. We're told 98 per cent of vulnerabilities are patched within the 90-day deadline, a marked improvement from the long delays for patches that were previously the norm.
You can watch her hour-or-so-long keynote in the video below, from the nine-minute mark.
In his introductory remarks, Black Hat founder Jeff Moss echoed Tabriz’s calls for a secure-by-default world. There are about 320 companies, he said, that control the online safety of billions of us, typically operating system, browser, and key hardware manufacturers.
“We have to build a culture around defense,” he said. “It's up to us to put pressure on companies. We can change the security posture for the entire world.” ®