Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Security by GoogleNicolas RUFFnruff+ins15(at)google.com
Google Proprietary
Introduction
This talk contains no confidential information.
Only actionable information that you will be able to use right away!
Google Proprietary
Protecting users
Passwords are deadhttp://www.cnet.com/news/google-security-exec-passwords-are-dead/
Strong authentication is practical: https://fidoalliance.org/● Already enabled for most Google services● Will be integrated in Windows 10, too
Google Proprietary
Protecting users
Key take-away: enable 2FA now!We will take care of the rest.
FREE
CHEAP
Google Proprietary
"SSL Everywhere"
Source: Google I/O 2014https://docs.google.com/presentation/d/15H8Sj-Zol1tcum0CSylhmXns5r7cvNFtzYrcwAzkTjM/present?slide=id.g12f3ee71d_10
● Most Google services served over HTTPS○ Even Ads: http://adsense.blogspot.com/2013/09/use-adsense-on-your-https-sites13.html
● HTTPS used as a ranking signal○ http://googleonlinesecurity.blogspot.com/2014/08/https-as-ranking-signal_6.html
● SPDY, then HTTP/2 mandating SSL○ https://blog.chromium.org/2015/02/hello-http2-goodbye-spdy-http-is_9.html
Google Proprietary
SSL is no good without a few extras
● Perfect Forward Secrecy (PFS)○ Enabled back in 2011: http://googleonlinesecurity.blogspot.com/2011/11/protecting-data-
for-long-term-with.html● Safe implementations
○ BoringSSL: https://boringssl.googlesource.com/○ Crypto research (HearthBleed, POODLE, BEAST, CRIME, ...)
● Deprecation of unsafe algorithms○ E.g. MD5 and SHA-1 http://googleonlinesecurity.blogspot.com/2014/09/gradually-
sunsetting-sha-1.html● HTTP Strict Transport Security (HSTS)● Certificate Pinning● Certificate Transparency (W.I.P.)
○ https://github.com/google/certificate-transparency
Google Proprietary
Quality Open Source software
Pick all of those ...
● Google GitHub repository○ https://github.com/google
● Google Summer of Code○ https://www.google-melange.com/
● Core Infrastructure initiative○ http://www.linuxfoundation.org/programs/core-infrastructure-initiative
● Research Awards○ http://research.google.com/university/relations/
Google Proprietary
Killing all the bugs
● List of security bugs fixed by Googlers○ https://www.google.com/about/appsecurity/research/
● lcamtuf's very own fuzzer (AFL)○ http://lcamtuf.coredump.cx/afl/○ Results: https://fuzzing-project.org/
● Project Zero○ http://googleprojectzero.blogspot.com/
● Cloud customers get an awesome Web security scanner for free○ https://cloud.google.com/tools/security-scanner/
Google Proprietary
Vulnerability Research Program(s)
We might pay you if ...
● You found a bug in our products○ https://www.google.com/about/appsecurity/reward-program/
● You want to spend time finding bugs in our products○ https://www.google.com/about/appsecurity/research-grants/
● You significantly enhanced the security of a critical Open Source project○ https://www.google.com/about/appsecurity/patch-rewards/
Google Proprietary
Vulnerability Research Program(s)
... and this is for real: $1.5M spent last year● http://googleonlinesecurity.blogspot.ch/2015/01/security-reward-programs-year-in-review.html● https://plus.google.com/+EduardoVelaNava/posts/BGaXYSvrpui
Top VRP contributors attending a fun event @ Google
Google Proprietary
What if a few bugs still remain?
Hardening!
● Fighting XSS with templating systems○ https://github.com/google/closure-templates
● Sandboxing○ https://code.google.com/p/chromium/wiki/LinuxSandboxing
● NaCl○ https://developer.chrome.com/native-client
● Linux kernel features○ E.g. seccomp-bpf
● Compiler hardening○ Cf. LLVM features and roadmap○ ASAN, clang-format-fuzzer, Control Flow Integrity, ...
Google Proprietary
... and it works
Source:G-Jacking AppEngine-based ApplicationsHITB Amsterdam 2014Nicolas Collignon and Samir Megueddem
Source: http://seclists.org/fulldisclosure/2014/Dec/26
Google Proprietary
What if something happens?
Incident Response!
● Google Rapid Response○ https://github.com/google/grr
● Rekall Memory Forensics○ http://www.rekall-forensic.com/
● Plaso○ https://github.com/log2timeline/plaso
● ... and Joachim's awesomeness○ https://github.com/libyal
Google Proprietary
Conclusion
Security is a process, not a product-- Bruce Schneier
Security is a journey, not a destination-- Wrongly attributed to Dalaï-lama :)
Google Proprietary
References
Google's Approach to IT Securityhttps://cloud.google.com/files/Google-CommonSecurity-WhitePaper-v1.4.pdf
Google Online Security Bloghttp://googleonlinesecurity.blogspot.com/
Google Proprietary
EOF