Google: 'We all have to invent the wheel'

Google: 'We all have to invent the wheel'
Google: 'We all have to invent the wheel' 

By Joris Evers
Staff writer, CNET
June 25, 2007

Douglas Merrill first learned about online security while growing up in 
Arkansas. A natural geek, he spent Saturdays putting together computers 
with his dad, a physics professor.

While exploring the wilds of a young cyberspace in his early teens, he 
encountered bulletin boards run by hate groups. Appalled by what he 
read, Merrill figured out ways to "play with" membership rolls to convey 
his opposition.

"I had a goal to try and embarrass all the white supremacists in 
Arkansas," he said. "Arkansas is a relatively rural state. It is very 
beautiful. It is an incredible place to be a kid. There was also at the 
time a kind of unfortunate element in Arkansas that had some pretty 
strong political views that I pretty strongly disagreed with."

It was this formative experience, combating bigotry, that would teach 
him the power of technology in society. It was also the beginning of 
what would later become a guiding principle in his professional life as 

As vice president of engineering at Google, Merrill stands at the 
forefront of a critical period in the Digital Age as so-called Web 2.0 
technologies pose unprecedented challenges to online security. And 
because it is one of the leading companies and proponents of today's 
open social-networking universe, Google is at the nucleus of this 
revolutionary change.

The company creates online services at a rapid pace and was one of the 
first to adopt new Web 2.0 programming techniques that complicate 
security because of their interactive nature. Google also provides a 
large target for hackers: bugs have been found in Gmail, AdWords, the 
Google Desktop program and many other technologies developed and 
employed by the company.

Tight security is something of a metaphor for Google, which is known 
throughout the industry for a corporate culture that is perhaps second 
only to Apple in its exceptionally tight control over company 
information. In summer 2005, the company instituted a policy of not 
talking with CNET reporters in response to an article involving 
its search engine and privacy. A few months later however, Google ended 
its boycott.

Recognizing the significance of its role in Web security, Google 
provided with an exclusive look into its efforts on the issue 
for this report. Because of its unique station--in March it attracted 
more visitors to its sites than any other company--Google's efforts in 
securing its own technologies have exponentially important consequences, 
reflecting the broader state of security for the Web as a whole.

"We don't yet know what all the things are that can break in these 
interesting, exciting, new, highly interactive Web applications," 
Merrill said. "We believe we are at the forefront of a new science. We 
all have to invent the wheel in Web security."

The monumental importance of that objective is masked by the unassuming 
surroundings of his department. The security team occupies a small space 
in one of the buildings on the sprawling Google campus in Mountain View, 
Calif., that's far from the hardened bunker one might imagine for a 
mission-critical security operation.

Merrill's office is distinguished by the kennel he's installed for his 
Dalmatian, whose pictures adorn the surroundings. Other appointments 
include a soft couch and a Mac with two wide-screen displays.

Next to several cubicles that house other security experts stands a 
mannequin in full Darth Vader garb. Crew members joke that he's the 
"friendly face" of Google security. (He's a party relic.)

The core crew has about 50 members, but the importance of security means 
that all Google employees involved in product development have a 
responsibility to make their technologies safe.

"The Google way of doing things is to get really smart people and make 
it very easy for them to do the right thing and kind of hard to do the 
wrong thing," Merrill said. "We have imprinted these really brilliant 
engineers at all levels, fresh out of college all the way up to very 
senior people, with a particular way of building code."

The hyper speed of Web development

If Google's approach toward security is unique, perhaps the reason is 
that it is the only company among its immediate rivals that grew up in 
the Web 2.0 era, which was founded on a philosophy of openness and 
sharing that is stretching the boundaries of what Web sites can do--and 
how they can protect themselves.

Today's hyper speed of Web development from all corners of cyberspace, 
not just R&D staffs employed by corporations, has changed the notion of 
digital security from the days of desktop computing. Microsoft, for 
example, has been developing desktop software since it was founded in 
1975, but it's come to learn security lessons the hard way.

"There is a lot more history in building client-side applications and 
with history, with practice, the science gets better," Merrill said. 
"We're much farther up that curve with traditional desktop applications 
than we are yet with Web applications."

Web security does build on established computing principles of 
application design and creation, such as input validation and the 
principle of least privilege, a widely recognized design consideration 
to enhance the protection of data and functionality from faults and 
malicious behavior. But because the unprecedented level of Web 2.0 
interactivity and development is still so new, the security implications 
aren't always clear; sometimes, it can actually make security easier.

One benefit of Web applications is that patching is much easier than 
traditional PC or server applications. Fixes don't need to be tested on 
multiple versions of an operating system, as Google knows exactly what 
its infrastructure is.

The security process has been in place since Google's early days as a 
search company, Merrill said. Priorities didn't change much as the 
company grew to be a provider of many other services, including e-mail, 
calendaring, advertising, online payments and Google Maps, one of the 
first Web applications to showcase the benefits of Ajax development 
techniques to a broad audience when it was launched in 2005.

"It has been built into our code from early on, mostly because we 
realize that users' search data is extremely private to them." Merrill 
said. "Security has been in our DNA from the start, particularly once we 
started doing the advertising work and had advertisers' credit cards and 
other important data."

Google has multiple processes to lock down its products. All developers 
are taught Google's coding style, which includes many security 
principles. All code is reviewed by another developer and run through a 
scrubbing tool, aptly called "Lemon," before it is submitted in final 

Particularly sensitive code, such as for billing applications, is 
created with extra care and then reused. A developer won't write new 
billing code for a new application.

Even so, much of the Google security team's time is still spent dealing 
with bugs in applications--and it relies on the Web at large to help 
hunt them down. When flaws are discovered, Google has a system in place 
for outside bug hunters to report them.

Google is the only big Web player that has a special page that 
acknowledges security researchers for reporting vulnerabilities. Bugs 
that are found get fixed; if the problem is of a new type, it is added 
to Lemon to prevent it in the future.

"We're going to find them all, but it is going to be awhile. Until we 
find them all, new bugs will happen," Merrill said. "As long as we all 
work together, we can manage the damage done by these bugs."

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. 

Site design & layout copyright © 1986-2014 CodeGods