Security is no more just a function in an organisation, a government or a nation. It is a fundamental need to secure the world. Technology, at best, provides some defense to achieve that goal. However, there are larger aspects that security professionals need to keep in mind to save humanity from falling victim to the emerging new world of cyberthreats.
Parisa Tabriz, Director of Engineering at Google, responsible for making Chrome Browser a secure, stable, and useful tool for browsing, managing the Project Zero security research team at Google and affectionately known as the Security Princess, delivered the keynote at the Black Hat 2018 USA that concluded yesterday.
Below are the key observations she made during her keynote. They are represented here as Quotes:
- Industry and security practitioners have to identity and tackle the root causes of the problem and not just be satisfied with isolated fixes.
- We have to be more intentional in how we pursue our defensive projects. For this, we have to identify milestones and celebrate the progress and success along the way.
- To invest in building proactive defensive projects is a given in today’s world. But for a sustainable future, we have to build a coalition of champions to make the efforts successful.
- Project Zero of Google, announced in 2014, aims to advance the understanding of offensive security to inform and improve the defensive strategies. It wants to achieve the most effective defence from any single discovery.
- 98% of the security issues are fixed within the 90-day disclosure period, up from 25% and it’s a huge paradigm shift. We are getting more security patches and faster responses time.
- Everyone who cares about end-user security needs to be more open, transparent. It helps all defenders and the community at large.
- In addition to being more open, we need to collaborate more to ensure end-user security. We need to work together; outside of walls, towards shared security goals.
- Making fundamental change to the status quo is hard, but necessary. It may lead to upsetting people But, if you are not upsetting anyone, you are not changing the status quo.
- Without HTTPS, neither an end user, not a website can have any confidence in the security or privacy of data sent over the web.
- We are not always able to predict exact form of potential threats to come but we have to still invest proactively in the defensive projects that project the core security principals. Fundamentals like Isolation, Containment, Simplicity work well.
You can also here her full KEYNOTE VIDEO HERE