After joining the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design Pledge in May, Google released its strategy on Tuesday for how it’s meeting the pledge’s seven security goals.
In a white paper released on Oct. 22, Google said that after joining the industry-wide effort, it has made progress toward meeting the goals of Secure by Design – an initiative stemming from CISA guidance issued in April 2023 that urges software manufacturers to develop secure-by-design products.
The pledge’s goals include using multi-factor authentication (MFA), eliminating default passwords, reducing vulnerabilities, making patching easier, disclosing vulnerabilities, updating common vulnerabilities and exposures (CVEs), and providing evidence of intrusions.
“Google recognizes that creating a truly secure digital ecosystem requires a collaborative approach – one that identifies common threats and develops shared solutions that protect users across the world,” said Google. “We invite industry partners, policymakers, and security experts to join us in this critical endeavor.”
“By working together, we can establish common standards, share best practices, and develop innovative solutions to combat evolving threats. We believe that through collective action – collaborating with everyone from security experts to competitors, governmental bodies, policy makers, and everyday citizens – we can build a more secure and resilient digital future for everyone,” it continued.
In its first goal of increasing the use of MFA, Google said strategies have included auto-enrolling consumer accounts into MFA and working to develop password-less passkeys in collaboration with FIDO. These passkeys have been used to authenticate users more than 2 billion times.
Notably, Google said it will require all Google Cloud users to enroll in MFA starting in 2025.
Treating default passwords as security vulnerabilities has changed the way that Google has approached the setup procedures of hardware-based products – such as a new Nest smart home device. By linking devices and services to Google accounts, the company said it has eliminated the need for preconfigured passwords.
To address entire classes of vulnerabilities, Google said it implemented a safe coding framework and a secure development environment managed by domain expert teams.
“We’ve found that the most effective approach to address classes of vulnerabilities due to potentially pervasive coding or configuration errors […] is to replace risky, mistake-prone APIs and platform features with functionally equivalent APIs that are designed to be safe by design, and which protect developers from the risk of accidentally introducing vulnerabilities – thereby enabling Safe Coding,” said Google.
Since adopting these enhanced security measures, Google said it has mitigated threats such as cross-site scripting, SQL injection, memory safety issues, and insecure cryptography.
In meeting the other goals, Google has worked toward making software updates easy for users to apply with quick and multi-layered deployment to reduce risk; collaborating within industry to identify and report vulnerabilities; offering guidance on addressing vulnerabilities and risks encountered with CVEs while addressing common vulnerabilities and exposures; and providing evidence of intrusions by informing users about security incidents and providing audit logs for visibility into activities.
Google noted that the white paper will be the first in a series of insights that it will publish in the coming months.
“Google supports CISA in their efforts on Secure by Design and believes that the practices outlined in this paper can help other security experts build truly defensible systems,” the company said. “While we have been successful in evolving and improving Google’s security posture, we do not intend to rest on our laurels. We will continue to innovate and push the boundaries of what’s possible in the security space.”
