Saturday August 30, 2008 7:55 AM AEST
Vulnerability Alerts
SANS
 
Microsoft
 
CERT/CC
 
 
Latest Comments
"You should hire people to fight trojans and stuff"
on Best Western falls victim to major hack
by Me | Aug 29, 2008 7:27 AM
 
"Not exactly an innovative feature Microsoft. Other browsers have had this capability for a long ..."
on IE 8 to sport traceless browsing
by Chris Jones | Aug 28, 2008 7:38 PM
 
"Hey"
on PGP Whole Disk Encryption 9.5
by Emilio Garcia | Aug 27, 2008 2:53 AM
 
"adfdas"
on HP WebInspect 7.7
by ddd | Aug 26, 2008 4:24 PM
 
"i have seen a few iPhone porn sites and while most of them are crap I did run across one that ..."
on iPhone porn on the up
by gate | Aug 23, 2008 6:30 AM
Policy Management

Google shares its security secrets

  • Email a Friend
  • Print Page
Google shares its security secrets
Related Articles
By Shaun Nichols
Apr 11, 2008 3:54 PM
Tags: Google | shares | its | security | secrets
Scott Petry, director of Google's Enterprise and founder of security firm Postini, explained to attendees at the RSA conference how the company handles constant pressure and scrutiny from attackers.

"Google is a very very high-value target," Petry noted.

"If you have bad intentions and want to get a reputation, hacking Google is the best way to get credibility on the streets."

In order to keep its products safe, Google has adopted a philosophy of 'security as a cultural value'. The programme includes mandatory security training for developers, a set of in-house security libraries, and code reviews both by Google developers and outside security researchers.

"The most important thing that our security team does is educate," Petry explained.

"Educating people is the most important thing a security professional can do. "

Petry contended that in an age where both users and companies are increasingly relying on outside services and applications, it is becoming nearly impossible to fully lock-down a company.

"IT is largely fighting yesterday's battle," he said, in reference to the policy of trying to restrict all user access.

"Start saying okay, if these things are going to happen, do an assessment to try and bound the risk."

Petry noted that in addition to educating its employees, the company also implements software 'guard rails', which warn users when potentially risky actions are taken and later logs them for administrators to archive.

For software developers, Petry also suggested taking a 'neighbourhood watch', approach to vulnerability disclosure. For Google, this means sharing more information with researchers and trusting them to do the right thing with their discoveries.

"If you find a vulnerability, we ask that you share it with us. If you share it with us, we will respond to you with a time we will fix that hole," explained Petry.

"If we do so, that is our responsible response, please don't disclose [the vulnerability]."

That philosophy, combined with a policy of crediting all researchers who report flaws, has been very successful for Google, said Petry.

Copyright © 2008 vnunet.com

 
Ads by Google
Thoughts on this article? Add a comment below.
Be the first to comment on this article.

Name:
*
 
Email:
(will not be displayed)
*
 
Comment:
(HTML not permitted)
*
 
Validation
*

Enter the code you see below:

 

 
 
 
 
 
 
Risk Management Whitepapers
Popular Tags
apple breach cryptography data email gets gfi google government information languard microsoft mozilla network patch platform privacy ratproxy security tool