Discover Security Trends News
Treat Software Release Speed as an Enabler for Security
It’s easy to believe that releasing software at a slower pace means the software gets released more securely. While it’s sometimes counter-intuitive, my experience has been the exact opposite: quick releases are beneficial for shipping secure products.
Back in 2014 when I was running security and privacy for social products at Google, OpenSSL was hit with a rather nasty security vulnerability. We needed to update the application code immediately. Our fixed Android apps were publicly available within a few hours while the iOS apps were in review with Apple.
Unfortunately, the rest of the Google team took weeks to remediate the risk and many companies took far longer. What allowed us to move quickly while the rest of the organization was behind? The social products at Google had the kind of CI/CD release setup for mobile applications that many organizations even today only dream of. Pair that with a truly excellent team of release engineers and we were able to get the job done. The organization as a whole, however, did not.
And there’s no single entity to blame. Excellent engineers who cared about their users and security worked on each of these teams, but the difference was the social teams already had processes in place to make, test, approve, and roll out releases quickly.