The State Of Google Security In 2016

While Google has vast resources of its own to find security vulnerabilities, the company has long embraced the idea of paying security researchers for finding flaws. In 2015 alone, Google paid out $2 million in bug bounties to more than 300 security researchers.

“Last year we gave out a lot of money to a lot of people for a lot of bugs,” Somogyi said.

And in 2016, Google is on track to give out even more money, he said. In March, Google increased the top reward it pays out for a Chrome OS vulnerability from $50,000 to $100,000 for the persistent compromise of a Chromebook in guest mode.

“With great research comes great rewards,” Somogyi said.

Safe Browsing Protections Extended

Google also isexpanding and improving the efficacy of its Safe Browsing technology. Safe Browsing warns both desktop and mobile browser users of potentially malicious sites. Somogyi noted that this year, Google is extending even more Safe Browsing protections, for malware and social engineering in Chrome on Android.

“Safe browsing today protects well over 2 billion devices,” he said.

In terms of best practices, Somogyi suggests that users don’t reuse passwords across services. This is something Google’s Project Abacus aims to help with. Abacus is an approach for password-less access that was first discussed at Google I/O in 2015. Google plans to roll out Abacus-based log-ins to Android by the end of the year.

Even before Abacus becomes available, though, Google has other approaches, including the use of two-factor authentication, using the FIDO U2F protocol to help enable stronger authentication than just a simple password.

While using stronger passwords (or a password replacement technology), safe browsing and paying security researchers to find bugs are all good things, Somogyi said installing updates is one of the best ways to keep users safe.

Security is a complex challenge with many unknowns, but there are many known bad items, too. While zero-day risks are a concern, good password practices and keeping users updated are likely two of the best tools to help Google achieve its mission of Do No Evil—and the broader mission of not letting evil happen to its users either.

Originally published on eWeek.