Comments on: Security expert blesses Google Native Client technology

Researcher who wins bug-finding contest says Google Native Client technology is architecturally sound.

[JasonCe]

I am confused.

These guys have "found the largest number of security vulnerabilities and the most severe of the 22 total bugs that were reported by contestants", and that product has not even shipped yet (no one is looking to exploit it), so chances are there are many times more vulnerabilities still in it, and yet they "bless Google Native Client technology"?

Shouldn't it be the other way around?

I wonder if it has anything to do with Google paying these guys...

[khimru]

Number of guys attacking something != number of defects found. Not even close. Think about PS3 and XBox360. Heck, think about DES and AES! AES, DES, and Cell (central piece of PS3 security architecture) - all these things very reviewed by security professionals before release - and they all are unbroken as of yet (DES just used too short passwords so brute force attacks are now feasible). The only thing with "zero number of known and fixed vulnerabilities at the release date" in the list above is XBox360. It included top-secret Microsoft's in-house architecture and many tricks to make it "more secure"... and it was broken months after release.

Sure, review of security professionals is not a panacea (think MD5), but it sure as hell better then alternatives. And 22 bugs are not such a big number if you'll consider size of Native Client's code...

[Marcus Westrup]

I have to agree with JasonCe on this one - this endorsement sounds a little too cozy. Google has crossed it's "do no evil" line a few times, so why should we trust this?
I'd like to get a second opinion.

[simmons142]

I second what khimru says, above -- there's no contradiction with security researchers finding 22 bugs and then giving the software their blessing. Laymen often assume that security is a matter of whittling down bugs, when it is actually the application of sound principles and good design. Even in a well-designed piece of software, finding 22 bugs comes as no big surprise because writing software is hard, humans are fallible, and the rigorous engineering processes needed to create bug-free software have not been invented (or perhaps just haven't been popularized).

[GEO2003]

These Security Experts no doubt have great credentials to be able to analyse vulnerabilities in WEB applications. The questions is - Are they really smarter then undergroud hackers whom may be able to surpace the technical knowledge of of these Security Experts. At any point in time someone else could come alone who may be better at finding vectors to attack Web Applications.

The email that show this article is the same email from Cnet that show the story of Google's Cloud computing OS. They both complement each other, in that while Google may be touting their Web OS as secure, this story shows the opposite.