[IncludeSecurity]

Google is one of only a handful of companies in this world that can fundamentally change the state of security in the tech industry. I love google and have many friends who work there, I truly believe in their mission. They have the talent and the financial resources, but sometimes they do not use those in ways that are strategically scalable IMHO.

Here's some examples of ways they could use $100MM to completely flip the script on app security:

1) Google project zero - Some of the absolute best hackers in the entire world work on this team, they identify and exploit vulnerabilities at the same skill level of the best nation states. None of this significantly moves the needle. If they took this team, expanded it's skill-set, and redirected their efforts towards building protections for compilers, runtimes and framework then that would be much more impactful then showing off the next <ubiquitous software> 0day.

2) Google's partner program - Google has a program that forces all integrators of their OAuth APIs from Gmail to Gdrive to have 3rd party security assessments conducted. The 3rd parties they use put their most junior/scanner focused pentesters on those projects. The approved 3rd party vendors turn this into a cash cow because they hire kids straight out of school and bill them out at senior rates because the API integration partners are forced to use these junior teams. Instead they could create a register of ALL pentest companies and stop the SF/SV practice of secret lists and publish all data about security assessment/pentest firms and to prioritize the effective firms, not the junior firms.

3) Google could create zero trust FOSS software for all corporations. Zero trust is a hot topic, every COTS vendor now caters to the key buzz word. Often the COTS solutions are low quality trying to make bank off a trend. Google is in the unique position of advancing the state of Zero trust world-wide by FOSS releasing zero trust and allowing all corporations in the world to jump a light year in corp-sec.

4) Advancing the state of systems programing - I love C it was my second programming language and the one I first fell in love with, I won DEFCON CTF writing exploits for C code. All of that being said, there is almost no need at all for C in 2021. For almost all cases I can use Go, Rust, or something else memory safe instead of C. Google should move from using C for most programs and advance the state of Go and Rust via SAST tooling and security rules. Yes this includes Android, Android should support non-C code such as Rust in the kernel just like Linux is currently doing.

5) Align with security best practices on all OSes and desktop apps - MS is doing some amazing experiments with high-security to make their browser extremely secure, google should have been doing the same with Chrome for the past 10yrs https://microsoftedge.github.io/edgevr/posts/Super-Duper-Sec... I know the usability/memory trade offs being made here to keep the browser performant, I still think there is more that can be done here with genius tech/sec innovators that google has.

6) OpenSSF should create an alliance to fundamentally eliminate XSS and CSRF - Google is a huge sponsor (primary I think?) of OpenSSF. That org can create an alliance with all of the top web app frameworks (Django, Rails, Flask, Gorilla, Spring, ASPMVC, etc.) for an operating mode which fundamentally uses all of the new web app security hotness (CORS, CORP, CORB, COOP, COEP, CSP, site security, etc.) to absolutely eliminate all XSS and CSRF possibilities at the webapp framework level and SQLi at the ORM level for all notable webapp frameworks. This would set a precedence across the industry.

7) ...I'm gonna stop there, I can go on forever. These are things I think about a lot being in the hacking industry 20yrs+ I'm often dreaming of "If I just had $5MM in funding I could solve so many security problems!!", but the only currently feasible way to get that funding is to use it to create a commercially viable product. Google's pledge to fund cyber security in an altruistic manner changes the game.

Google, we love you! Help us secure the Internet, you've got the power to totally change the game...we hope you do! :)

-Erik- Founder, IncludeSec