Google Shares Its Security Secrets

The most secretive Google is now is offering security professionals a look into its security systems..

Scott Petry, director of Google's Enterprise and founder of security
firm Postini, explained to attendees at the RSA conference how the
company handles constant pressure and scrutiny from attackers.


"Google is a very very high-value target," Petry noted.


"If you have bad intentions and want to get a reputation, hacking Google is the best way to get credibility on the streets."


In order to keep its products safe, Google has adopted a philosophy of
'security as a cultural value' where it promotes security awareness.
The programme includes mandatory security training for developers, a
set of in-house security libraries, and code reviews both by Google
developers and outside security researchers.


Google believes that educating people is about security is very
important and Google has a professional security team to handle this
task.


Petry contended that in an age where both users and companies are
increasingly relying on outside services and applications, it is
becoming nearly impossible to fully lock-down a company.


"IT is largely fighting yesterday's battle," he said, in reference to the policy of trying to restrict all user access.


"Start saying okay, if these things are going to happen, do an assessment to try and bound the risk."


Petry noted that in addition to educating its employees, the company
also implements software 'guard rails', which warn users when
potentially risky actions are taken and later logs them for
administrators to archive.


For software developers, Petry also suggested taking a 'neighbourhood
watch', approach to vulnerability disclosure. For Google, this means
sharing more information with researchers and trusting them to do the
right thing with their discoveries.


That philosophy, combined with a policy of crediting all researchers
who report flaws, has been very successful for Google, said Petry.