Google security: 'We all have to invent the wheel'

Leading the charge in Web security at Google, vice president of engineering stands at the forefront of a critical period.
Written by Joris Evers, Contributor
Douglas Merrill first learned about online security while growing up in Arkansas. A natural geek, he spent Saturdays putting together computers with his dad, a physics professor.

While exploring the wilds of a young cyberspace in his early teens, he encountered bulletin boards run by hate groups. Appalled by what he read, Merrill figured out ways to "play with" membership rolls to convey his opposition.

"I had a goal to try and embarrass all the white supremacists in Arkansas," he said. "Arkansas is a relatively rural state. It is very beautiful. It is an incredible place to be a kid. There was also at the time a kind of unfortunate element in Arkansas that had some pretty strong political views that I pretty strongly disagreed with."

It was this formative experience, combating bigotry, that would teach him the power of technology in society. It was also the beginning of what would later become a guiding principle in his professional life as well.

Google photos

As vice president of engineering at Google, Merrill stands at the forefront of a critical period in the Digital Age as so-called Web 2.0 technologies pose unprecedented challenges to online security. And because it is one of the leading companies and proponents of today's open social-networking universe, Google is at the nucleus of this revolutionary change.

The company creates online services at a rapid pace and was one of the first to adopt new Web 2.0 programming techniques that complicate security because of their interactive nature. Google also provides a large target for hackers: bugs have been found in Gmail, AdWords, the Google Desktop program and many other technologies developed and employed by the company.

Tight security is something of a metaphor for Google, which is known throughout the industry for a corporate culture that is perhaps second only to Apple in its exceptionally tight control over company information. In summer 2005, the company instituted a policy of not talking with CNET News.com reporters in response to an article involving its search engine and privacy. A few months later however, Google ended its boycott.

Recognizing the significance of its role in Web security, Google provided News.com with an exclusive look into its efforts on the issue for this report. Because of its unique station--in March it attracted more visitors to its sites than any other company--Google's efforts in securing its own technologies have exponentially important consequences, reflecting the broader state of security for the Web as a whole.

"We don't yet know what all the things are that can break in these interesting, exciting, new, highly interactive Web applications," Merrill said. "We believe we are at the forefront of a new science. We all have to invent the wheel in Web security."

The monumental importance of that objective is masked by the unassuming surroundings of his department. The security team occupies a small space in one of the buildings on the sprawling Google campus in Mountain View, Calif., that's far from the hardened bunker one might imagine for a mission-critical security operation.

Merrill's office is distinguished by the kennel he's installed for his Dalmatian, whose pictures adorn the surroundings. Other appointments include a soft couch and a Mac with two wide-screen displays.

Next to several cubicles that house other security experts stands a mannequin in full Darth Vader garb. Crew members joke that he's the "friendly face" of Google security. (He's a party relic.)

The core crew has about 50 members, but the importance of security means that all Google employees involved in product development have a responsibility to make their technologies safe.

"The Google way of doing things is to get really smart people and make it very easy for them to do the right thing and kind of hard to do the wrong thing," Merrill said. "We have imprinted these really brilliant engineers at all levels, fresh out of college all the way up to very senior people, with a particular way of building code."

The hyper speed of Web development
If Google's approach toward security is unique, perhaps the reason is that it is the only company among its immediate rivals that grew up in the Web 2.0 era, which was founded on a philosophy of openness and sharing that is stretching the boundaries of what Web sites can do--and how they can protect themselves.


Today's hyper speed of Web development from all corners of cyberspace, not just R&D staffs employed by corporations, has changed the notion of digital security from the days of desktop computing. Microsoft, for example, has been developing desktop software since it was founded in 1975, but it's come to learn security lessons the hard way.

"There is a lot more history in building client-side applications and with history, with practice, the science gets better," Merrill said. "We're much farther up that curve with traditional desktop applications than we are yet with Web applications."

Web security does build on established computing principles of application design and creation, such as input validation and the principle of least privilege, a widely recognized design consideration to enhance the protection of data and functionality from faults and malicious behavior. But because the unprecedented level of Web 2.0 interactivity and development is still so new, the security implications aren't always clear; sometimes, it can actually make security easier.

One benefit of Web applications is that patching is much easier than traditional PC or server applications. Fixes don't need to be tested on multiple versions of an operating system, as Google knows exactly what its infrastructure is.

The security process has been in place since Google's early days as a search company, Merrill said. Priorities didn't change much as the company grew to be a provider of many other services, including e-mail, calendaring, advertising, online payments and Google Maps, one of the first Web applications to showcase the benefits of Ajax development techniques to a broad audience when it was launched in 2005.

Special report
Wardens of the Web
In CNET News.com's multipart series, we peek behind the curtain at online giants Yahoo, Google and Microsoft, and the elite corps committed to securing Web applications.

"It has been built into our code from early on, mostly because we realize that users' search data is extremely private to them." Merrill said. "Security has been in our DNA from the start, particularly once we started doing the advertising work and had advertisers' credit cards and other important data."

Google has multiple processes to lock down its products. All developers are taught Google's coding style, which includes many security principles. All code is reviewed by another developer and run through a scrubbing tool, aptly called "Lemon," before it is submitted in final form.

Particularly sensitive code, such as for billing applications, is created with extra care and then reused. A developer won't write new billing code for a new application.

Even so, much of the Google security team's time is still spent dealing with bugs in applications--and it relies on the Web at large to help hunt them down. When flaws are discovered, Google has a system in place for outside bug hunters to report them.

Google is the only big Web player that has a special page that acknowledges security researchers for reporting vulnerabilities. Bugs that are found get fixed; if the problem is of a new type, it is added to Lemon to prevent it in the future.

"We're going to find them all, but it is going to be awhile. Until we find them all, new bugs will happen," Merrill said. "As long as we all work together, we can manage the damage done by these bugs."

Editorial standards