{"id":19442,"date":"2024-10-22T13:50:01","date_gmt":"2024-10-22T13:50:01","guid":{"rendered":"http:\/\/scannn.com\/google\/seven-way-google-incorporates-security-by-design\/"},"modified":"2024-10-22T13:50:01","modified_gmt":"2024-10-22T13:50:01","slug":"seven-way-google-incorporates-security-by-design","status":"publish","type":"post","link":"https:\/\/scannn.com\/lv\/seven-way-google-incorporates-security-by-design\/","title":{"rendered":"Seven way Google incorporates Security by Design"},"content":{"rendered":"


\n<\/p>\n

\n

In an interconnected world facing growing cyber attacks, it\u2019s critical to ensure that technology systems are resilient to keep people safe. For over 20 years, Google has pioneered a Secure by Design approach, meaning we embed security into every phase of the software development lifecycle \u2014 not just at the beginning or the end.<\/p>\n

Earlier this year, we joined the U.S. Cybersecurity & Infrastructure Security Agency (CISA), and now over 200 of our industry peers, to sign the Secure by Design Pledge \u2014 a voluntary commitment to specific security goals. Today, we\u2019re publishing our white paper \u201cAn Overview of Google’s Commitment to Secure by Design,\u201d which covers how we\u2019ve continued to deliver on the pledge\u2019s seven goals. This post shares highlights of the paper in hopes of providing a helpful industry guide on how to start on Secure by Design, or make adjustments for better implementation.<\/p>\n

Google’s approach to the 7 Secure by Design goals<\/h2>\n
    \n
  1. Multi-Factor Authentication (MFA):<\/b> Americans lost $12.5 billion to phishing and scams in 2023, making the need for protections like MFA critical. Google\u2019s journey with MFA dates back to 2010, when we launched Google Authenticator and 2-Step Verification (2SV) for Google Workspace. Since then, we\u2019ve steadily made progress through our work with FIDO Alliance, Advanced Protection Program (APP), security keys and auto-enrolling people in 2SV. More recently, we\u2019ve been part of the push to passwordless sign-in with passkeys (a safer, easier alternative to passwords), which have been used to authenticate users more than 1 billion times.<\/li>\n
  2. Default passwords:<\/b> Default passwords in software and hardware are easy for bad actors to find, which means they can lead to widespread unauthorized access. That\u2019s why we treat discovered default passwords as vulnerabilities of their own, and have implemented measures across our products to mitigate this risk. We use a system that links our products to your Google Account, so devices do not rely on pre-configured passwords. So configuring products like a new Nest smart home device or Google Pixel phone requires you to log in with your Google Account. This is similar to how our software-based services are set up and accessed. For example, services like Workspace and Google Cloud are managed by organization administrators and the setup process does not involve default passwords.<\/li>\n
  3. Reducing entire classes of vulnerability:<\/b> Our approach to designing secure software starts with our safe coding framework and secure development environment, helping us reduce entire classes of vulnerabilities. Google has a long history of addressing vulnerabilities at scale including cross-site scripting (XSS), SQL injection (SQLi), memory safety issues, and insecure use of cryptography. We\u2019ve done this by evolving our methods and using approaches like Safe Coding.<\/li>\n
  4. Security patches:<\/b> Vendors should seek to reduce the burden on end users by making it as easy as possible to apply software updates. Google prioritizes this approach and focuses on the uptake of our fixes, emphasizing quick deployment to lessen the chances of a bad actor exploiting flaws. ChromeOS is a great example, as it uses multiple layers of protection combined with automatic, seamless updates to keep it ransomware- and virus-free.<\/li>\n
  5. Vulnerability disclosure:<\/b> Industry collaboration is key to finding and reporting bugs and vulnerabilities. Google has been a long-time proponent of transparency, which means we take proactive measures to find issues and welcome the help of the security industry for external reports. Our Vulnerability Disclosure Policy and Vulnerability Rewards Programs (VRP) have connected us to security researchers that have helped us to secure our products. Since we launched the VRP, we\u2019ve distributed 18,500 rewards totaling nearly $59 million.<\/li>\n
  6. Common Vulnerabilities and Exposures (CVEs):<\/b> CVEs are meant to help identify fixes that have not been applied by a customer or user. Google prioritizes issuing CVEs for products that require action to update. We also provide security bulletins for consumers and businesses on various products, including Android, Chrome Browser, ChromeOS and Google Cloud, detailing vulnerabilities and offering guidance on mitigation.<\/li>\n
  7. Evidence of intrusions:<\/b> Just like physical security issues, people deserve to be informed about possible intrusions, without an overload of irrelevant information. We do this via warnings about the security of your Google Account, and by providing our Security Checkup for personalized recommendations and Security Alerts. For Cloud, we use audit logs to record and give visibility into activities within customers\u2019 Google Cloud resources. Cloud Logging helps customers with the centralization and retention of logs starting at 30 days, with the option to extend. In Workspace, domain administrators can use the audit and investigation tool and Reports API to review user and administrator activity across products like Gmail, Drive, Docs and Chat. Enterprises can leverage Android Enterprise capabilities, such as Security Audit Logs and Network Event Logs, to look for evidence of intrusions.<\/li>\n<\/ol>\n

    We\u2019ve dedicated years to incorporating Secure by Design at Google, but our work is not done, and we look forward to sharing more ways we\u2019ll deliver on CISA\u2019s pledge. Today\u2019s whitepaper will be the first of a series of insights we\u2019ll publish in the coming months. Securing our digital ecosystem is a team sport, so we also encourage industry partners, policymakers and security experts to join this important work. And you can learn more about how our products are built with safety from the start at Safer with Google.<\/p>\n<\/div>\n


    \n
    Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    In an interconnected world facing growing cyber attacks, it\u2019s critical to ensure that technology systems are resilient to keep people safe. For over 20 years, Google has pioneered a Secure by Design approach, meaning we embed security into every phase of the software development lifecycle \u2014 not just at the beginning or the end. Earlier […]<\/p>\n","protected":false},"author":16,"featured_media":19443,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[100],"tags":[],"class_list":["post-19442","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-google"],"_links":{"self":[{"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/posts\/19442","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/users\/16"}],"replies":[{"embeddable":true,"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/comments?post=19442"}],"version-history":[{"count":0,"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/posts\/19442\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/media\/19443"}],"wp:attachment":[{"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/media?parent=19442"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/categories?post=19442"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/tags?post=19442"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}