By Joris Evers
Staff writer, CNET News.com
June 25, 2007
Douglas Merrill first learned about online security while growing up in
Arkansas. A natural geek, he spent Saturdays putting together computers
with his dad, a physics professor.
While exploring the wilds of a young cyberspace in his early teens, he
encountered bulletin boards run by hate groups. Appalled by what he
read, Merrill figured out ways to "play with" membership rolls to convey
"I had a goal to try and embarrass all the white supremacists in
Arkansas," he said. "Arkansas is a relatively rural state. It is very
beautiful. It is an incredible place to be a kid. There was also at the
time a kind of unfortunate element in Arkansas that had some pretty
strong political views that I pretty strongly disagreed with."
It was this formative experience, combating bigotry, that would teach
him the power of technology in society. It was also the beginning of
what would later become a guiding principle in his professional life as
As vice president of engineering at Google, Merrill stands at the
forefront of a critical period in the Digital Age as so-called Web 2.0
technologies pose unprecedented challenges to online security. And
because it is one of the leading companies and proponents of today's
open social-networking universe, Google is at the nucleus of this
The company creates online services at a rapid pace and was one of the
first to adopt new Web 2.0 programming techniques that complicate
security because of their interactive nature. Google also provides a
large target for hackers: bugs have been found in Gmail, AdWords, the
Google Desktop program and many other technologies developed and
employed by the company.
Tight security is something of a metaphor for Google, which is known
throughout the industry for a corporate culture that is perhaps second
only to Apple in its exceptionally tight control over company
information. In summer 2005, the company instituted a policy of not
talking with CNET News.com reporters in response to an article involving
its search engine and privacy. A few months later however, Google ended
Recognizing the significance of its role in Web security, Google
provided News.com with an exclusive look into its efforts on the issue
for this report. Because of its unique station--in March it attracted
more visitors to its sites than any other company--Google's efforts in
securing its own technologies have exponentially important consequences,
reflecting the broader state of security for the Web as a whole.
"We don't yet know what all the things are that can break in these
interesting, exciting, new, highly interactive Web applications,"
Merrill said. "We believe we are at the forefront of a new science. We
all have to invent the wheel in Web security."
The monumental importance of that objective is masked by the unassuming
surroundings of his department. The security team occupies a small space
in one of the buildings on the sprawling Google campus in Mountain View,
Calif., that's far from the hardened bunker one might imagine for a
mission-critical security operation.
Merrill's office is distinguished by the kennel he's installed for his
Dalmatian, whose pictures adorn the surroundings. Other appointments
include a soft couch and a Mac with two wide-screen displays.
Next to several cubicles that house other security experts stands a
mannequin in full Darth Vader garb. Crew members joke that he's the
"friendly face" of Google security. (He's a party relic.)
The core crew has about 50 members, but the importance of security means
that all Google employees involved in product development have a
responsibility to make their technologies safe.
"The Google way of doing things is to get really smart people and make
it very easy for them to do the right thing and kind of hard to do the
wrong thing," Merrill said. "We have imprinted these really brilliant
engineers at all levels, fresh out of college all the way up to very
senior people, with a particular way of building code."
The hyper speed of Web development
If Google's approach toward security is unique, perhaps the reason is
that it is the only company among its immediate rivals that grew up in
the Web 2.0 era, which was founded on a philosophy of openness and
sharing that is stretching the boundaries of what Web sites can do--and
how they can protect themselves.
Today's hyper speed of Web development from all corners of cyberspace,
not just R&D staffs employed by corporations, has changed the notion of
digital security from the days of desktop computing. Microsoft, for
example, has been developing desktop software since it was founded in
1975, but it's come to learn security lessons the hard way.
"There is a lot more history in building client-side applications and
with history, with practice, the science gets better," Merrill said.
"We're much farther up that curve with traditional desktop applications
than we are yet with Web applications."
Web security does build on established computing principles of
application design and creation, such as input validation and the
principle of least privilege, a widely recognized design consideration
to enhance the protection of data and functionality from faults and
malicious behavior. But because the unprecedented level of Web 2.0
interactivity and development is still so new, the security implications
aren't always clear; sometimes, it can actually make security easier.
One benefit of Web applications is that patching is much easier than
traditional PC or server applications. Fixes don't need to be tested on
multiple versions of an operating system, as Google knows exactly what
its infrastructure is.
The security process has been in place since Google's early days as a
search company, Merrill said. Priorities didn't change much as the
company grew to be a provider of many other services, including e-mail,
calendaring, advertising, online payments and Google Maps, one of the
first Web applications to showcase the benefits of Ajax development
techniques to a broad audience when it was launched in 2005.
"It has been built into our code from early on, mostly because we
realize that users' search data is extremely private to them." Merrill
said. "Security has been in our DNA from the start, particularly once we
started doing the advertising work and had advertisers' credit cards and
other important data."
Google has multiple processes to lock down its products. All developers
are taught Google's coding style, which includes many security
principles. All code is reviewed by another developer and run through a
scrubbing tool, aptly called "Lemon," before it is submitted in final
Particularly sensitive code, such as for billing applications, is
created with extra care and then reused. A developer won't write new
billing code for a new application.
Even so, much of the Google security team's time is still spent dealing
with bugs in applications--and it relies on the Web at large to help
hunt them down. When flaws are discovered, Google has a system in place
for outside bug hunters to report them.
Google is the only big Web player that has a special page that
acknowledges security researchers for reporting vulnerabilities. Bugs
that are found get fixed; if the problem is of a new type, it is added
to Lemon to prevent it in the future.
"We're going to find them all, but it is going to be awhile. Until we
find them all, new bugs will happen," Merrill said. "As long as we all
work together, we can manage the damage done by these bugs."
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com