Tackling cybersecurity vulnerabilities through Secure by Design

In today’s cybersecurity landscape, vulnerable software can act as the conduit for devastating events. That’s why it’s critical that technology is safe before it reaches people, before we start coding, and throughout its lifecycle — it’s what we call technology that is Secure by Design.

Today, we’re releasing a report, Secure by Design at Google, outlining how we use these principles to strengthen our infrastructure and take the security burden off users and developers by implementing software security from the start. We’re also releasing, Secure by Design: Google's Perspective on Memory Safety, which shares our insights on how Secure by Design applies to memory safety and offers a way to fix this decades long vulnerability issue.

Secure by Design

Over the past year, we have rightfully seen policy initiatives attempt to help shift the security burden from the end-users to software manufacturers, such as CISA’s Secure by Design initiative and the recent White House Memory Safety report. However, the ecosystem is still lacking a widely-adopted guide to set organizations in the right direction.

Today’s Secure by Design paper shares Google’s years of experience using the concept to "build security in" during the design of a software product and throughout the development lifecycle, rather than "bolting it on” afterwards. We offer four principles for Secure by Design for software design, development and deployment:

• User/customer-centric design: we consider our products in the context of their use, and how user actions and choices could lead to adverse outcomes, especially when users cannot be reasonably expected to know whether a choice is risky.
• Developers are users, too: in our experience, the development and deployment ecosystem in which a software product or service is produced has significant influence on its security posture, so we consider how to ensure that the developer ecosystem encourages secure design and prevents vulnerabilities and errors.
• Thinking in terms of invariants: we ground our security design by defining properties that we expect to always hold for a system, even when it's under attack — our security invariants.
• Design for understandability and assurance: software systems should be designed such that security experts can determine with confidence that the systems will indeed uphold their security invariants, and can do so at scale and throughout ongoing development over the lifecycle of the product.

These four principles can help produce products and services that are designed to automatically defend users from things like malicious servers, network-level adversaries, attacks through downloaded files, phishing attacks, and more. These principles can also significantly reduce entire classes of vulnerabilities.

The responsibility is on our ecosystem, not the developer

Securing software has historically been the responsibility of developers, with the expectation they understand and follow complex secure-coding guidelines. It’s no wonder so many incidents start with an error when developing and deploying systems: failure to consider a security threat during the design of a system, introduction of a coding error during development that results in a vulnerability, or a configuration change that exposes a deployed system to attack.

We believe that a Secure-by-Design approach applied to developer ecosystems is one of the most effective ways to achieve high assurance levels of safety and security. A developer ecosystem designed for safety and security ensures security invariants for applications, and prevents entire classes of vulnerabilities, providing assurance at scale. It’s why Google is investing to further expand use of memory safe languages to address the risk of developers accidently introducing these kinds of vulnerabilities, putting that responsibility on the language itself. We are also investing in building out the external memory-safe ecosystem, through a $1,000,000 grant to the Rust foundation, and funding efforts to bring Rust to the Linux Kernel.

To make products more secure as soon as they reach users’ hands means focusing upstream on our software development — perfecting safe coding, deployment and guidance. At Google, we will continue to engage deeply, share our experience, and partner to advance new frameworks, best practices and guidance to secure the digital domain for everyone.