Interview with Gábor Molnár, Google

Tell us a bit about yourself

Hi, I’m Gábor Molnár, Senior Information Security Engineer at Google, and a web-security and foosball enthusiast! The ISE team at Google is responsible for product security – to put it simply, we are responsible for making sure Google products and services are secure to use. And of course, the opinions stated here are my own, not those of my company.

What do you find most interesting about computer security?

At its best, computer security is a never-ending intellectual cat-and-mouse game, a continuous exchange of puzzles and their solutions between two opposing sides, where each step in the game needs to be more clever than the previous one. But of course, there’s a lot of regular computer engineering work to make things work behind the scenes, and I wouldn’t do it if I didn’t also find that interesting in itself.

What does an average day in your position look like?

On the best days, I can read/write code or documents for a project the whole day and forget everything else, but on a typical one, it’s mostly about communicating with a lot of different people through emails, meetings, document comments – about the security of different products and services, and about organizing work within the team.

You have been in the industry for several years. When it comes to cybersecurity, what do you think is the most important thing for developers to be aware of?

In an ideal world, they wouldn’t have to be aware of anything; the frameworks they use would make insecure things impossible, or at least force developers to make an informed and explicit decision to opt out of the secure defaults in cases where it’s justified. Maybe the one thing that would be super useful even in an ideal world is threat modeling – a technique to deal with high-level logic bugs that even secure frameworks can’t prevent by themselves. Until everyone uses such secure frameworks though, maybe the most important is to be aware of where to find the security documentation and people to answer security-related questions, and the cases when it’s worth consulting them (when choosing technologies/frameworks/libraries to use, when applying unusual solutions, etc.).

Do you have any recommended best practices for keeping up-to-date with the latest security trends?

If you want to know everything immediately, then follow security researchers on Twitter (or be around people who do that!). Trainings, tech talks, and conferences have a pretty good up-to-date-information/effort ratio too (more delay but less effort).

You are a passionate CTF player. Why do you think CTFs are an important addition to an organization’s IT security efforts?

Security competitions are a really good way to help people learn about security while having fun.

Have you ever come across any friction between security and developer teams? If so, how did you resolve it?

Developers always want to ship good products and features quickly, and security can sometimes be perceived as slowing them down. In concrete cases, my experience is that once everyone is on the same page about the security problem at hand (i.e. everyone has the same understanding of the risk), then it’s usually a straightforward decision for the product team to fix it, or for the security team to not push it. In case of a disagreement, escalation is an important tool to use; if done correctly, it helps avoid personal conflicts and leads to the best decision for the company. In the long term, there are two ways to reduce that inherent conflict between security and development velocity: make security effortless (i.e. make it the default) and make it a feature of the product (i.e. make it part of the definition of “good product/feature”).

What would be your best advice for security professionals trying to be successful in this field?

If you’re just getting started, try to find like-minded people and make a CTF team!