Google’s security princess talks cybersecurity

Author: 

Parisa Tabriz, manages Google’s Chrome security engineering teams, and gave a keynote at PyCon US this year.

Her talk was even-keeled, informative, and included strong FOSS messaging about everyone’s vested interest in internet security and privacy. After the talk was done, I watched her take audience questions (long enough for me to take a short conference call) where she patiently and handily fielded all manner of queries from up and down the stack.

Folks who have dealt with crisis and high-pressure, like 911 operators, surgeons, or starship pilots, exude a certain aura of steadiness in all seas. I felt safer just hearing her keynote, and in watching her Q&A with the audience afterwards, you could sense that stalwart orbit of Zen tempering Parisa’s moves and words. Elitism is the foil of consensus, and her concern for the integrity of the chain of security—only as strong as the weakest link—is a concern for all netizens, not just hackers. All boats must rise with the tide, and I sure sleep much better knowing Parisa is on watch to help make sure they do.

She was gracious enough to spare some time before her flight to do a quick Q&A with me.

Where are you from?

Chicago Area, Illinois. I spent my first 21 years of life in Illinois, then moved to California to work at Google. I never touched a computer growing up, my family worked in healthcare. In high school I played computer games, and talked on instant messenger, but didn’t know much about the “magic boxes” and how they worked.

When it came time, I picked computer engineering at University of Illinois Urbana Champaign, and thought that learning about computers would be a good idea. I taught myself web programming, and at one point, I had a website that got hacked. I was in a Web Monkeys Group, and understanding how the site got hacked, got me into security, and I joined another student group. That ended up getting me interested in security.

At the time, there weren’t any official college courses on security, so much of what I learned was from friends, presentation of information, and experimenting together. I was already getting involved in the types of things that remind me of open source, and the collaborative environments, and sharing of information for the pursuit of creation, rather than simply financial gain. I was lucky to find an early community in Infosec, and knowing you can work on problems and solutions together, helped keep me through the challenging times in my degree, and my jobs.

Jobs?

I first had an internship at Sandia National Labs. It was part of this think-tank for cybersecurity. We had a broad set of projects, and I got involved in a wireless security project, that required me to read the spec on WiFi, and drivers—some open source, some not. With our lab setups, we were using the Atheros drivers to write our own. I learned a lot from looking at the open source implementation, and we were able to use it to control an access point. Networking security was what I focused on initially.

I wanted to get more experience, so I worked at Google the next year. I ended up leaving a PhD to work at Google fulltime. When I joined, it was a team of hired hackers that tried to make products more secure. It was a broad goal. We use lots of FOSS, and we have lots of Google-specific tech too. It was a balance of quickly assessing security of brand-new stacks, and balancing with large FOSS projects, and how security was progressing there. Linux was one, but also web templating and other web tech. I did security reviews of acquisitions, and that exposed me to a gamut of biz, and tech built on custom and open source projects.

How big was team when you joined?

The team was eight people when I joined. It has grown to now being a couple hundred. I became a manager of that team, but then moved to Chrome to do something entirely different.

Chrome?

It was client facing, but it was also fully open source. Most devs are still employed by Google, but not all.

(I work for Red Hat, so I get how that goes. We both lol’d)

That was really exciting, and challenging for a couple of reasons: the development documentation was completely public to the world. There is something both exciting and intimidating about that; you expose your interactions to a broad and diverse public beyond Google, which was big at the time. It was exciting to be able to share more broadly outside of Google. It was exciting to see how people are using Chromium to build other things. There are a lot of companies that use Chromium rendering engine, and other browsers branching from Chromium, and we do exciting things with Google Chrome. It is exciting to work beyond just Google’s vision of what a browser should be.

What about outside of Google?

I became a manager in part because as a manager, I think more about culture and people and the humans that make the technology. I have become more interested in diversity. Yes, I’m a woman, and I have selfish reasons, but I’m interested across axes to provide a more broad pool of solutions to problems. In security, we aren’t there yet. I’m really interested in talking with people who are interested in human factors, and product design, and people you don’t see at security conferences. I’m interested in people that wouldn’t consider themselves experts in security, but other software engineering disciplines. Having them work with/in security, they have a much better understanding of what types of mitigations and defenses are in a workflow. Culture and diversity are interesting.

Working with kids, in the middle-school age, thinking about what they want to be, what classes to take in high school and college. There is a stereotype on TV and movies, and on the boards of directors of what you need to look like to be involved in tech. We have a group, CS and Tech in Media, who work with folks in Hollywood. I’ve talked to the creators of Halt and Catch Fire, who include strong female leads, a Netflix series, for example.

Making security more approachable and diverse is important because we need everyone thinking about it. Not just people, but folks writing policy and law.

I really get away from tech entirely once in a while, go do roadtrips, and rock climbing, stuff like that. I’m going to go around to national parks, and be out of range. Getting perspective, and refreshing things.

I like making things, I like breaking things as a hacker. The Maker movement, I love instructables.com, making cool stuff that doesn’t exist for the purpose of making something is something I like.

I’m also a consultant with The United States Digital Service, which came about after the Healthcare.gov crisis. I’ve done some consulting with them as a security expert. I don’t just go in an talk about security and tech, but do civic hacking. Having government work with a “Launch early Launch often” culture has benefited a lot of tech, and at the same time, understanding how governance works. I leave the projects appreciating things I used to think of as entirely bureaucratic. Alex Gaynor was the one who invited me.

Conclusion?

I don’t think that security can or should be left to the specialists. A group of people making the net secure comes down to quality and maintenance—much less sexy than innovation—and is the result of community. Lots of people, constantly fixing and improving technology. The barrier to entry is still too high. We need help. Your perspective is valuable, whether you are just learning, or you’ve been at it for 40 years, it is your unique perspective, and you can contribute to software quality and making it more secure.