As Google beta releases its new web browser, Chrome, a lot is being said about its security lapses that are quickly coming to light. I don’t believe it really matters if the lapses are big or small, correctable or not, or just marketing faux pas versus mere engineering slips. I am more concerned with the genesis of Google’s security challenges, and if these traits can be inherently set right in short order.
I can’t say I can gauge the maturity of Google’s security programs. But I suspect that such elements of its program as security policy, deep training, consistent process and security technology already exist and can and will be raised to the necessary and highest levels.
Yet, I think there is something more… Could it be that Chrome’s security lapses might well be ingrained in Google’s DNA itself?
The Dominance Gene
After having ruled the search domain and annexing advertizing, Google is on its next new quest. No, not web browsers, but in reality a platform that is an online operating system. And not just a platform for JavaScript support, but a doorway for hosting on-line applications.
They are quick to learn from Firefox the efficacy of open source to foster web browser innovation, and from Microsoft, the potential to control your search engine’s destiny through browsers. So high is the engineering and market dominance confidence of this organization, that with their modular development teams, they have stretched out their portfolio from email, office and other solutions to browsers in a fairly short duration.
It is this fact that makes me particularly nervous when it comes to security—the more the silos of development groups and products, and the broader this portfolio expanse, the more gaps and lapses in security. The harder it is to enforce a consistent and comprehensive development and deployment of secure products. Microsoft knows firsthand, and it has taken several years for them to develop their security program to a level of maturity that today offers significantly more assurance to us consumers.
The yearning to dominate often foreshadows the discipline needed for security.
The Simplicity Gene
Google assiduously represented its entire search functionality in seven words for the longest of times on its search page. The mantra was simplicity in form and function, and they delivered pristinely with their unmatched search content.
This DNA, the zen for simplicity, is again evident in Chrome with merely two menus and few toolbar icons. It is elegant in its maximal content space, absent tool bars, consolidated address and search bars, clever navigational suggestions, thought-flow layouts with tab management capabilities and so on. Chrome seems to suggest, why do you need a progress bar when Chrome is so fast? Or, why would you need to manage your favorite stuff if Chrome does it for you so well?
After having ruled the search domain and annexing advertizing, Google is on its next new quest. No, not web browsers, but in reality a platform that is an online operating system. And not just a platform for JavaScript support, but a doorway for hosting on-line applications.
Now, in its quest to bring universality and simplicity to its browser, Google seeks to incorporate various components of the Firefox, IE, Safari and Linux functionalities, and this is where one of the Chrome security problems has already struck—a component from an older version of Safari was used, albeit it had a known vulnerability!
My fear is that the penchant for simpler form and function can lead to a false sense of secure product development, in that the simpler (or behind the scenes, more orchestrated) workflow and information flow can seem to be more controllable against security threats.
Not quite. In security, an old adage is Complexity = Simplicity * n.
If Google can add the Secure Products gene to its DNA, then that would really be Sustainable Security—one that could shift the player’s advantage hugely in Google’s favor.
Comments