Posted by Anu Yamunan and Khawaja Shams (Android Security and Privacy Team), and Mohet Saxena (Compute Trust and Safety) Keeping Google Play safe for users and developers remains a top priority for Google. Google Play Protect continues to scan billions…
Category: Google Online Security Blog
Celebrating SLSA v1.0: securing the software supply chain for everyone
Bob Callaway, Staff Security Engineer, Google Open Source Security team Last week the Open Source Security Foundation (OpenSSF) announced the release of SLSA v1.0, a framework that helps secure the software supply chain. Ten years of using an internal version…
Google Authenticator now supports Google Account synchronization
Christiaan Brand, Group Product Manager
Securely Hosting User Data in Modern Web Applications
Posted by David Dworken, Information Security Engineer, Google Security Team Many web applications need to display user-controlled content. This can be as simple as serving user-uploaded images (e.g. profile photos), or as complex as rendering user-controlled HTML (e.g. a web…
Supply chain security for Go, Part 1: Vulnerability management
Posted by Julie Qiu, Go Security & Reliability and Oliver Chang, Google Open Source Security Team High profile open source vulnerabilities have made it clear that securing the supply chains underpinning modern software is an urgent, yet enormous, undertaking. As…
Announcing the deps.dev API: critical dependency data for secure supply chains
Posted by Jesper Sarnesjo and Nicky Ringland, Google Open Source Security Team Today, we are excited to announce the deps.dev API, which provides free access to the deps.dev dataset of security metadata, including dependencies, licenses, advisories, and other critical health…
Thank you and goodbye to the Chrome Cleanup Tool
Posted by Jasika Bawa, Chrome Security Team Starting in Chrome 111 we will begin to turn down the Chrome Cleanup Tool, an application distributed to Chrome users on Windows to help find and remove unwanted software (UwS). Origin story The…
OSV and the Vulnerability Life Cycle
Posted by Oliver Chang and Andrew Pollock, Google Open Source Security Team It is an interesting time for everyone concerned with open source vulnerabilities. The U.S. Executive Order on Improving the Nation’s Cybersecurity requirements for vulnerability disclosure programs and assurances…
Google Trust Services now offers TLS certificates for Google Domains customers
Andy Warner, Google Trust Services, and Carl Krauss, Product Manager, Google Domains We’re excited to announce changes that make getting Google Trust Services TLS certificates easier for Google Domains customers. With this integration, all Google Domains customers will be able…
8 ways to secure Chrome browser for Google Workspace users
Posted by Kiran Nair, Product Manager, Chrome Browser Your journey towards keeping your Google Workspace users and data safe, starts with bringing your Chrome browsers under Cloud Management at no additional cost. Chrome Browser Cloud Management is a single destination…
Our commitment to fighting invalid traffic on Connected TV
Posted by Michael Spaulding, Senior Product Manager, Ad Traffic Quality Connected TV (CTV) has not only transformed the entertainment world, it has also created a vibrant new platform for digital advertising. However, as with any innovative space, there are challenges…
Moving Connected Device Security Standards Forward
Posted by Eugene Liderman, Director of Mobile Security Strategy, Google As Mobile World Congress approaches, we have the opportunity to have deep and meaningful conversations across the industry about the present and future of connected device security. Ahead of the…
Vulnerability Reward Program: 2022 Year in Review
Posted by Sarah Jacobus, Vulnerability Rewards Team It has been another incredible year for the Vulnerability Reward Programs (VRPs) at Google! Working with security researchers throughout 2022, we have been able to identify and fix over 2,900 security issues and…
Hardening Firmware Across the Android Ecosystem
Posted by Roger Piqueras Jover, Ivan Lozano, Sudhi Herle, and Stephan Somogyi, Android Team A modern Android powered smartphone is a complex hardware device: Android OS runs on a multi-core CPU – also called an Application Processor (AP). And the…
The US Government says companies should take more responsibility for cyberattacks. We agree.
Posted by Kent Walker, President, Global Affairs & Chief Legal Officer, Google & Alphabet and Royal Hansen, Vice President of Engineering for Privacy, Safety, and Security Should companies be responsible for cyberattacks? The U.S. government thinks so – and frankly,…
Taking the next step: OSS-Fuzz in 2023
Posted by Oliver Chang, OSS-Fuzz team Since launching in 2016, Google’s free OSS-Fuzz code testing service has helped get over 8800 vulnerabilities and 28,000 bugs fixed across 850 projects. Today, we’re happy to announce an expansion of our OSS-Fuzz Rewards…
Taking the next step: OSS-Fuzz in 2023
Posted by Oliver Chang, OSS-Fuzz team Since launching in 2016, Google’s free OSS-Fuzz code testing service has helped get over 8800 vulnerabilities and 28,000 bugs fixed across 850 projects. Today, we’re happy to announce an expansion of our OSS-Fuzz Rewards…
Sustaining Digital Certificate Security – TrustCor Certificate Distrust
Posted by Chrome Root Program, Chrome Security Team Note: This post is a follow-up to discussions carried out on the Mozilla “Dev Security Policy” Web PKI public discussion forum Google Group in December 2022. Google Chrome communicated its distrust of…
Supporting the Use of Rust in the Chromium Project
Posted by Dana Jansens (she/her), Chrome Security Team We are pleased to announce that moving forward, the Chromium project is going to support the use of third-party Rust libraries from C++ in Chromium. To do so, we are now actively…