Slashdot Mirror


Google Shares Its Security Secrets

Stony Stevenson writes "Google presents a big fat target for would-be hackers and attackers. At the RSA conference Google offered security professionals a look at its internal security systems. Scott Petry, director of Google's Enterprise and founder of security firm Postini, explained how the company handles constant pressure and scrutiny from attackers. In order to keep its products safe, Google has adopted a philosophy of 'security as a cultural value.' The program includes mandatory security training for developers, a set of in-house security libraries, and code reviews by both Google developers and outside security researchers."

3 of 106 comments (clear)

  1. Code Reviews and Coding Conventions by Starrk · · Score: 5, Insightful

    How many buffer overrun exploits have been found in other people's software because the coders are just lazy? Google also tries to prevent this by explicit rules that everyone must follow no matter what: for example, you are not allowed to check in code using sprintf instead of snprintf.

    A little thing to be sure... until you realize that it's one of many such rules, and they actually are followed.

  2. Re:So, explain ... by Starrk · · Score: 5, Insightful

    Because distinguishing bots from humans is an unsolved problem. Even before Captcha's were broken by computers, there was an easier solution:

    If you are stuck on a Captcha or equivalent, spam people, pretend the Captcha is yours, and offer free porn to anyone who solves it.

    Preventing this is virtually impossible.

  3. Re:It's that darn preset target by illegibledotorg · · Score: 5, Insightful

    FWIW, their connection isn't any more encrypted than a standard VPN.

    The only part of the connection that is "more secure" is the authentication phase, since they had to use two factors to log in (their token code and their password).

    See Two-factor Authentication