A new white paper released today by Google LLC highlights its ongoing efforts to incorporate security across its products through a “Secure by Design” approach.
The paper “An Overview of Google’s Commitment to Secure by Design” covers how Google has continued to deliver on seven goals as part of the Security by Design pledge. The pledge, one made by Google and other companies, is a voluntary commitment to specific security goals as spearheaded by the U.S. Cybersecurity and Infrastructure Security Agency.
The first goal, the implementation of multifactor authentication, focuses on enhancing user security by requiring multiple verification steps during sign-in.
Google has long been a leader in this area, having launched Google Authenticator and 2-Step Verification for Google Workspace back in 2010. Since then, the company has expanded its MFA offerings through initiatives such as the Advanced Protection Program and collaborations with the FIDO Alliance. All that has culminated in the introduction of passkeys, a passwordless authentication method that has been used more than a billion times, providing a simpler yet more secure alternative to traditional passwords.
The second goal, tackling default passwords, addresses the security risks they pose by treating them as vulnerabilities. Google has implemented measures across its products to eliminate their use, such as requiring users to log in with their Google Accounts instead. The approach has also been applied to devices such as Nest and Pixel, as well as services such as Workspace and Google Cloud, to ensure stronger security without relying on preconfigured passwords.
Reducing entire classes of vulnerability, the third goal, has seen Google adopt a safe coding framework and secure development environment to address issues at scale. By evolving its methods, Google has mitigated threats such as cross-site scripting, SQL injection, memory safety problems and insecure cryptography to ensure more robust software security across its products.
For security patches, the fourth goal, Google has focused on making software updates seamless and easy for users to apply. Through the prioritization of quick deployment fixes, Google reduces the risk of exploitation with ChromeOS serving as an example through its automatic updates and multiple layers of protection that help keep it ransomware and virus-free.
The fifth goal, vulnerability disclosure, emphasizes collaboration within the industry to identify and report security issues. Google has long been a champion for transparency and proactively seeks external reports through its Vulnerability Rewards Program, which has distributed nearly $59 million in rewards across 18,500 instances, contributing to the security of its products.
The next goal, addressing common vulnerabilities and exposures, focuses on ensuring that critical fixes are applied. Google prioritizes issuing CVEs for products that require updates and provides detailed security bulletins for Android, Chrome, ChromeOS and Google Cloud while also offering users guidance on addressing vulnerabilities and mitigating risks.
The last goal, providing evidence of intrusions, ensures users are informed about security incidents without unnecessary noise. Google achieves this through personalized security alerts for Google Accounts and tools such as Security Checkup. In Google Cloud, audit logs provide visibility into activities and Workspace administrators can review user actions using audit tools, helping enterprises detect potential intrusions efficiently.
The white paper today is planned by Google to be the first of a series of insights it will publish in the coming months.