Delivering the keynote address at Black Hat USA in Las Vegas, Google’s director of engineering Parisa Tabriz talked about the need to collaborate, celebrate progress and recognize those doing the defensive work.
Tabriz claimed that there are times when she feels we are “living in a reality version of Whac-A-Mole,” and she admitted that as the head of Google’s Project Zero she gets frustrated when there are reports of vulnerabilities not addressed.
She said that “98% of security issues that Project Zero reported fixed within in 90 days,” and while she later acknowledged that it “was and is controversial,” the project's aim is to challenge the status quo and pushback, and sometimes efforts move faster with collaboration.
Tabriz said that the “world is dependent on being safe, so we need to be more strategic in our approach to defense” and that to be successful we need to:
- Identify and tackle root causes
- Be more intentional on projects, pick milestones and celebrate progress
- Invest in bold defense projects and champions outside of security so efforts are successful
In terms of the first aim, she pointed to the work of Project Zero, which she said is “leading to positive change” with time to fix flaws and update users having been massively shortened.
“Today we see examples with vendors with better response, and no longer see pushback [to vulnerability disclosure] and see investment in sandboxing,” she said. However, with more transparency, more collaboration and more interest in user security, we can move to more shared security goals.
As part of this, Tabriz publicly thanked defenders “for being unsung heroes” and said it was time to “recognize and celebrate defenders more.”
On the second point, she pointed at the recent launch of Chrome 68, which will flag non-HTTPS websites as not secure, saying that “without HTTPS there is no security and no privacy.”
She acknowledged that initial plans, which began in 2014, did not happen due to concerns on website performance and user experience. But when it did happen, the team celebrated it as it was “fun but important to keep morale up” and it was important to “celebrate progress as we tackle gnarly security problems.”
Finally, on investing in defense, Tabriz encouraged investment in core technologies and said that when the benefits are not immediately clear, they need to be communicates. “Impactful is not adding new things but simplifying existing code.”
She concluded by saying that the right problems and technical solutions can be found, but everyone must work together to clear the path for a safer future.
“Band together to stop playing Whac-A-Mole, so strategically pick milestones, remember to reflect on progress made and celebrate progress,” she said. “As we invest in a project where the benefits are not clear, build coalition of champions. We care about making positive change. It’s up to all of us.”