Google thinks global Internet security with Project Zero

Project Zero will bring Google's global scale and view to Internet security research

Google is increasing its efforts in Internet security and is looking to hire security researchers for its newly formed Project Zero team.

In a post in Google's Online Security Blog, Google researcher Chris Evans said that people should be able to use the Web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect a computer, steal secrets, or monitor communications, but sophisticated zero-day day attacks, targeting human rights activists, for example, or for industrial espionage, are threats. Google believes more can be done to tackle the problem.

"Project Zero is our contribution to start the ball rolling," said Evans. "Our objective is to significantly reduce the number of people harmed by targeted attacks. We're hiring the best practically minded security researchers and contributing 100 percent of their time toward improving security across the Internet."

Analyst Adrian Sanabria, of 451 Research, lauded Google's efforts. "What's most relevant here is that Project Zero isn't just targeting bugs and vulnerabilities in Google's own software, they're targeting anything that could threaten Internet users, many of which are directly or indirectly Google customers," he said. "There's nothing better than a self-serving project that also benefits the common good. Win/win." With its considerable clout, Google has a much better chance of getting bugs fixed in a reasonable timeframe, Sanabria added.

All bugs discovered will be filed in an external database and reported to the software's vendor, not third parties. "Once the bug report becomes public (typically once a patch is available), you'll be able to monitor vendor time-to-fix performance, see any discussion about exploitability, and view historical exploits and crash traces," Evans said. Google also will conduct research into mitigations, exploitation, and program analysis.

Google often is criticized for violating privacy rights, with its ability to track users' searching habits to send targeted ads. But Sanabria sees that as a different issue. "I could, however, see people nervously pointing out that Google will potentially own a lot of zero days -- perhaps more than some governments' offensive cyber divisions," Sanabria said. "I can't see any realistic danger from this, except that Google might become a target from people who want the millions of dollars' worth of zero days they might have."

Previous security efforts at Google have included using strong SSL encryption by default for its Search, Gmail, and Drive applications, and encrypting data moving between Google data centers. The company also has helped in such efforts as discovery of the Heartbleed bug, said Evans.

Copyright © 2014 IDG Communications, Inc.

How to choose a low-code development platform