The recent board-level changes at Google have pushed a new name into the software world to join the likes of Jobs, Ballmer and Zuckerberg.
The decision by Eric Schmidt to leave his role as CEO and be replaced with Larry Page will probably not have a huge impact on security, after all Google's biggest issues with security has been its notable failings over the Buzz privacy settings and the Street View data harvest.
In his departure, Schmidt said Page will lead product development and technology strategy and from the 4th April 2011, will be the company CEO. “In this new role I know he will merge Google's technology and business vision brilliantly. I am enormously proud of my last decade as CEO, and I am certain that the next ten years under Larry will be even better! Larry, in my clear opinion, is ready to lead,” said Schmidt.
Schmidt will become executive chairman focusing on external deals, partnerships, customers and broader business relationships, government outreach and technology thought leadership. Sergey Brin will be titled co-founder and will devote his time to strategic projects, in particular working on new products.
So is there much to fix or change when it comes to security and Google? As more of a user than anything else it is easy to be reactionary to any challenges posed by the product range, so I turned to some people in security to see what they think the first actions of the new board should be.
Gerhard Eschelbeck, chief technology officer and SVP of engineering at Webroot, said that he felt that two things come to mind relating to Google and security. Firstly, a compliment on some of the existing security initiatives it is pushing, such as the safe browsing initiatives or the vulnerability reward program on their platforms.
“Secondly, a suggestion for Google, as they are more and more becoming a platform for both the web and the mobile world, Google should put more emphasis on enabling their external developer communities to foster development of secure applications on top of their platforms. It is the third party applications that will matter on these platforms, while at the same time, they are the primary targets for attack,” he said.
Jason Steer, solutions architect EMEA at Veracode, identified five key areas for Page to correct: secure the Google Android Marketplace; secure collection of user data; encryption of all data in transit; continue to invest in research; and spend more on the Google bug bounty program.
He said: “Today the Marketplace is void of security checks, allowing potentially malicious code into the Google branded app store. There is little to no security testing before applications are allowed into the store. As proven, it is trivial to get malicious code published and eventually mass downloaded. This is a great platform for cyber criminals to distribute their malicious code.
“Also, Google need to ensure that the private information that Google is collecting on its users is kept safe and secure. Furthermore, they should publish the data retention policy that Google uses so that it is clear and transparent to the user. Google has a significant amount of personal and private information that can be used against people if it falls into the wrong hands.”
Regarding the security of data in transit, Steer said that right now there is not an enforced transport layer encryption rule across all Google sites that users may visit and an ideal vision would be that all Google related sites and applications enforce full data encryption both at rest and in transit.
Finally, and much like Eschelbeck, he requested that there be continued investment in research regarding web applications and operating system, and more research into security threats and into implementing new security mechanisms into the Google properties. Regarding spending more on the Google bug bounty program, Steer said that so many people use Google today and yet the number of security exploits users are exposed to is high whether it be poisoned search results or cross-site scripting flaws. Rewarding people more to detect and report ethically rather than sell to the underground will improve Google's security stance.
Finally, a security expert, who chose to remain anonymous, told SC Magazine they agreed with Steer on creating an easier mechanism for a user to report sites that they believe might be malicious. Again calling on crowd intelligence based on how many people reported a certain site to be malicious in some way, they said that this could go a long way in helping secure the web.
“I think overall Google are doing quite a fine job of clamping down on malicious sites that have been seeded via black hat search engine optimisation but really there is always room for improvement. There is always the other subject of malvertising, where malware distributors manage to sneak exploits and redirects into the Google ad system, which depending on the visibility could cause a lot of infections in a short period of time. I know they have a team working on this, but more resources there might not be a bad idea,” they said.
So it seems that there is plenty for Page to be concerned about when it comes to security as Google's platforms and applications increase. While Google Wave filters out and Gmail and Docs remain strong, from an end-user perspective there is not a lot to be done, but from a development perspective, perhaps it is a case of 'room for improvement'.
As for Schmidt, according to businessinsider.com, upon his departure from the CEO chair Schmidt filed to sell 534,000 Class A (publicly traded) shares under a pre-arranged trading plan created in December 2010. At today's price, that amounts to a payday of about $335 million (£206.5 million). Not a bad pay off as you step down, is it?