LAS VEGAS — It’s time to stop treating security problems like a game of Whack-A-Mole, Google’s Parisa Tabriz said during the keynote today at Black Hat 2018. Oh, and blockchain isn’t the magic bullet. “Blockchain is not going to solve all our security problems,” she quipped.
Tabriz is a director of engineering at Google. She also manages the Project Zero security research team — this is the team that originally found the Meltdown and Spectre chip vulnerabilities.
Speaking at the annual security event in Las Vegas, she said technology companies need to do more. “As things get more interconnected we have to stop playing Whack-A-Mole,” she said. “We have to get more ambitious, more strategic, and more collaborative in our response to events…Computer security is increasingly becoming the security of the world. We know what the problems are, and we should continue to look for those problems. But we have to do more to solve them.”
This requires a three-step approach, she said. First, determine the root cause as opposed to just isolating pieces.
“Second we have to be more intentional in how we pursue long, defensive projects,” she said. This involves identifying milestones and celebrating progress.
And third, tech companies need to work together. “We have to build coalitions of champions outside of security,” she said
Tabriz cited Project Zero’s 90-day disclosure rule and Google’s push for HTTPS adoption as two examples.
“Project Zero leverages two tactics that I want to see more across our industry: transparency and collaboration, especially beyond corporate walls,” Tabriz said.
Google’s bug hunting team formed in 2013, and it has since found more than 1,400 vulnerabilities. When threat researchers find a security flaw, they give the software vendor 90 days to fix the problem before making it public.
“Initially, this deadline driven approach was extremely controversial,” Tabriz said. “A deadline-driven approach causes short-term pain for large organizations that have to make structural change. But sticking to those deadlines over the years resulted in vendors rallying, innovating, and investing in structural change, both technical and organizational.”
As a result of Project Zero, one major vendor doubled the security updates it releases every year. Another improved its patch response time as much as 40 percent. Ninety-eight percent of vulnerabilities reported to vendors by Project Zero are now fixed within the 90-day window. That’s up from 20 percent prior to the deadline-driven system.
“We’re seeing more security patches, faster response time, and end users getting notified faster about software the world depends on,” Tabriz said.
She also pointed to Google’s project to have Chrome label non-HTTPS webpages as insecure. Google finally completed the four-year effort last month.
It required collaboration: Google partnered with web browser company Mozilla and certificate authority Let’s Encrypt to make it easier and cheaper for websites using an HTTP connection to shift to a secure HTTPS.
And celebrating progress came into play. Google used home-made HTTPS cake and a poetry slam with HPPTS haikus to motivate the team.
Photo: Google’s Parisa Tabriz gives the keynote at Black Hat 2018.