LAS VEGAS--It’s become a cliche to say that security is a team sport, but there’s more than a small kernel of truth in there. One person, no matter how talented or dedicated, isn’t doing it all alone, especially in today’s complex threat environment. Everyone needs help. Even Google.
“Everyone who cares about end user security needs to collaborate with each other, regardless who paid to send you here. I’d love to see more ambitious collaboration,” Parisa Tabriz, director of engineering at Google, said in her keynote address at the Black Hat USA conference here Tuesday.
Tabriz is in a unique position to understand the benefits and pitfalls of collaboration within an organization and across the technology ecosystem. She helps run the Chrome security team and also manages the company’s Project Zero vulnerability research group. Chrome is far and away the most popular browser and so it’s naturally a major target for attackers. The Chrome security team is well aware of this, of course, and since the browser’s debut 10 years ago, Google’s engineers have spent considerable time and effort on adding new defense mechanisms to it.
The most recent example is a feature called site isolation that can help prevent attackers from extracting data across processes within the browser. It’s a feature that Google has been working on for several years and Tabriz cited it as prime evidence of the value of cross-team and cross-organization collaboration on advanced defenses. Google began work on site isolation in 2012, long before the Spectre and Meltdown speculative execution attacks became public earlier this year. It was a conceived as a solution to a problem that the Chrome engineers knew was there all along--attackers stealing data across sites--but turned out to be a highly effective defense for Spectre and Meltdown in the bargain.
“No one could have predicted a problem as serious as Meltdown and Spectre. We originally thought this would be a one year project,” Tabriz said. “We were off by a factor of six. It turned out to be the largest architectural change and code refactoring in the history of the company. Site isolation is a cross-cutting change for Chrome and it’s hard to describe how big it was.”
“I can think of few greater missions than keeping people safe."
The scope of the project was significant, Tabriz said, and it required resources from a number of different teams. And because it took six times longer than the team originally expected, there were plenty of questions and doubts along the way from the Chrome team itself and outsiders, too. But Tabriz and her team believed the change would make a major difference for user security, so they persevered.
“I was happy to support the project over the years. We all need to invest in ambitious defensive projects,” she said. “Making real change is hard and the timelines are hard and you have to stay motivated over a long period of time. Root problems are hard to solve. We need to pick practical milestones along the way and celebrate when we reach them.”
While much of the work done in security is lonely, individual toil, Tabriz said that the only real way to make a difference to the security of end users is for organizations, researchers, and others in the community to work together.
“The world’s dependence on safe, reliable technology is increasing and we have to get more ambitiously transparent and ambitious in our approach to defense,” she said. “We know where many of the problems are, but we have to do more to solve them. The web is ultimately more secure today because of a loose collective of people making changes over the course of many years.
“I can think of few greater missions than keeping people safe as the world increasingly depends on technology.”