Google Shares Its Security Secrets 106
Stony Stevenson writes "Google presents a big fat target for would-be hackers and attackers. At the RSA conference Google offered security professionals a look at its internal security systems. Scott Petry, director of Google's Enterprise and founder of security firm Postini, explained how the company handles constant pressure and scrutiny from attackers. In order to keep its products safe, Google has adopted a philosophy of 'security as a cultural value.' The program includes mandatory security training for developers, a set of in-house security libraries, and code reviews by both Google developers and outside security researchers."
Security secrets? (Score:5, Informative)
What is covered is some general security policy and philosophy.
And here I was, waiting to read all about GIDS and GFirewall. Thanks, ITNews, for instead educating be about archiving security logs for later review!
Fluff Acticle (Score:1, Informative)
Re:Code Reviews and Coding Conventions (Score:5, Informative)
Tools like PMD help with this .
We ended up getting bitten by bugs like unsynchronized access to static DateFormat object so we wrote used a PMD rule to fail our build if anyone does such a thing. We have other rules that curb the use of IOUtils.copy (instead of copyLarge).
I highly recommend using some sort of static analysis as part of your CI process
Re:The advantage of being an internet company (Score:4, Informative)
Re:Code Reviews and Coding Conventions (Score:3, Informative)
Variations include having the code analysis tool throw "compiler" warnings, and make the compilation to consider warnings as errors and fail the build.
Once you start working in an environment that does such things, you don't go back: the code quality goes up 10x.
physical security (Score:3, Informative)
Also, the whole place is made out of floor to ceiling glass windows. Would be really simple to shoulder surf somebody's display through a telescopic lens or listen against a windows with a laser mic. There's a reason high security buildings tend to resemble windowless block houses. Hopefully, anybody with a window seat at the Googleplex never processes sensitive data.
Any competently run site is pingable. (Score:5, Informative)
I still find it surprising that it ICMP_ECHO_REPLYs my ICMP_ECHO_REQUESTs. Why?
Ping is a service we all should provide to our internal networks from individual hosts, and to the Internet at large at the network edge. Configure your routers to respond to pings for your hosts instead of passing them through the firewalls. Ping is how people who need to test their ability to reach your hosts or site can do so. It is a simple tool that consumes a minimal amount of bandwidth to get the job done.
Hmmm... where's BadAnalogyGuy when you need him? OK, look, blocking ping is like saying that you've seen a guy killed by an Isuzu truck, so you think you can prevent all fatal accidents by banning Isuzu trucks from the highway. In reality, all you will do is prevent beer deliveries to my house, since my beer distributor uses Isuzus. This will make me hate you, just like people hate clueless firewall admins who block ICMP. Or wait, you saw a guy get bludgeoned to death with a hammer so you will ban all hammers while allowing people with large wrenches, razor knives and screwdrivers to pass without comment. That was pretty bad I think.