Safety & Security
Mar 04, 2024
min read
Our new report — Secure by Design at Google — outlines our principles and approaches for strengthening security through a process that implements software security from the beginning of the design phase, onward.
In today’s cybersecurity landscape, vulnerable software can act as the conduit for devastating events. That’s why it’s critical that technology is safe before it reaches people, before we start coding, and throughout its lifecycle — it’s what we call technology that is Secure by Design.
Today, we’re releasing a report, Secure by Design at Google, outlining how we use these principles to strengthen our infrastructure and take the security burden off users and developers by implementing software security from the start. We’re also releasing, Secure by Design: Google's Perspective on Memory Safety, which shares our insights on how Secure by Design applies to memory safety and offers a way to fix this decades long vulnerability issue.
Over the past year, we have rightfully seen policy initiatives attempt to help shift the security burden from the end-users to software manufacturers, such as CISA’s Secure by Design initiative and the recent White House Memory Safety report. However, the ecosystem is still lacking a widely-adopted guide to set organizations in the right direction.
Today’s Secure by Design paper shares Google’s years of experience using the concept to "build security in" during the design of a software product and throughout the development lifecycle, rather than "bolting it on” afterwards. We offer four principles for Secure by Design for software design, development and deployment:
These four principles can help produce products and services that are designed to automatically defend users from things like malicious servers, network-level adversaries, attacks through downloaded files, phishing attacks, and more. These principles can also significantly reduce entire classes of vulnerabilities.
Securing software has historically been the responsibility of developers, with the expectation they understand and follow complex secure-coding guidelines. It’s no wonder so many incidents start with an error when developing and deploying systems: failure to consider a security threat during the design of a system, introduction of a coding error during development that results in a vulnerability, or a configuration change that exposes a deployed system to attack.
We believe that a Secure-by-Design approach applied to developer ecosystems is one of the most effective ways to achieve high assurance levels of safety and security. A developer ecosystem designed for safety and security ensures security invariants for applications, and prevents entire classes of vulnerabilities, providing assurance at scale. It’s why Google is investing to further expand use of memory safe languages to address the risk of developers accidently introducing these kinds of vulnerabilities, putting that responsibility on the language itself. We are also investing in building out the external memory-safe ecosystem, through a $1,000,000 grant to the Rust foundation, and funding efforts to bring Rust to the Linux Kernel.
To make products more secure as soon as they reach users’ hands means focusing upstream on our software development — perfecting safe coding, deployment and guidance. At Google, we will continue to engage deeply, share our experience, and partner to advance new frameworks, best practices and guidance to secure the digital domain for everyone.
Today, Google Quantum AI and Google.org are joining XPRIZE and the Geneva Science and Diplomacy Anticipator (GESDA) to launch XPRIZE Quantum Applications.
Let’s stay in touch. Get the latest news from Google in your inbox.
Follow Us

source