Parisa Tabriz is Google Chrome’s security lead. She has worked on information security at Google for more than 6 years, starting as a “hired hacker” software engineer for Google’s security team. As an engineer, she found and closed security holes in Google’s web applications, and taught other engineers how to do the same.
Today, Parisa manages Google’s Chrome security engineering team, whose goal is to make Chrome the most secure browser and keep users safe as they surf the web. In late 2012, she was selected by Forbes as one of the 30 under 30 pioneers in technology. When she’s not hacking, she likes to make things (art, food, miscellaneous DIY projects) or escape Silicon Valley to go hiking and rock climbing in the mountains.
“Good code is marked by qualities that go beyond the purely practical; like equations in physics or mathematics, code can aspire to elegance,” author Vikram Chandra recently exclaimed in an article in the Financial Times. In an environment where statistics in US education make for grim reading in the numbers of young people, especially women, that are going into programming and computer science, this “beautiful art form” needs to be embraced – and fast.
Column inches have been filled with critics condemning the state of technology education in the US and all the while increasingly more jobs are now reliant on computer and coding across all sectors. A 2010 report from both the Association for Computing Machinery and the Computer Science Teachers Association found that more than two-thirds of US states had little or no literacy in computer science at secondary school level. It is a problem, which the report suggests, has left the US “woefully behind in preparing students with the fundamental computer science knowledge and skills they need for the future.”
However, in contrast to this gloomy analysis, are the success stories and role models that thrive in the field and seek to educate others on the importance and benefits of computer science. One such example is Parisa Tabriz, who manages Google Chrome’s information security engineering team and teaches developers how to secure their products. Educated at the University of Illinois, Urbana-Champaign, receiving a degree and Masters in computer science, Tabriz, who Google call their “Security Princess”, was last year named in Forbes “top 30 under 30” young pioneers in technology.
Tabriz’s daily task at the forefront of web security is to keep Google Chrome users worldwide safe from malicious attacks by cyber criminals. Her team of “hired hackers” ensures Chrome has a secure architecture design and code implementation, finds and fixes security bugs, works on the biggest security headaches users face on the web (like passwords and phishing), and serves as an expert security consulting group for the larger Chrome project.
“Unlike a lot of the people I work with today, I had little exposure to computers as a child. My parents worked in healthcare so encouraged sciences, but it wasn’t until college that I first had exclusive access to a computer,” says Tabriz. Through her love of both math and art, Tabriz was keen to study a STEM subject and started attending programming classes to learn how to programme. “My interest in art got me into web development and designing personal web pages as a college student. It was a cheap way to express myself creatively and see the results instantaneously.”
It was through the Association of Computing Machinery, where Tabriz gained exposure to “real” software development and met many other like-minded people. This inspired her to join an informal Friday evening club where the group would try and understand software, find unintended uses of it and repurpose it “in the true original spirit of hacking.” Here she picked up many of her information security skills and tricks that lead her to major in computer science.
“At the time there weren’t any proper classes on information security, it was all through group members talking to each other and experimenting with ideas. Web security wasn’t considered relevant or very cool because exploitation was easier, more reliable, and more damaging via bugs in the underlying operating system. It’s different today, given how much greater relevance the world has on the Internet and web applications.”
According to Code.org, less than 2.4% of US college students graduate with a degree in computer science, and the numbers are declining. The non-profit organisation that is dedicated to expanding participation in computer science education by making it available in more schools, and increasing participation by women and underrepresented students of colour, also states that only one in ten students knows how to write computer code. Additionally, in the US it is estimated there will be 1m more jobs than computer science students by the year 2020.
“I really think computer programming or more classroom exposure to technology in an explicit way should be part of an education curriculum. It’s something that has relevance across all disciplines,” notes Tabriz. “Technology doesn’t solve all problems, but it can certainly help us accomplish things more efficiently and consistently, and it makes collaboration possible where it might not be otherwise. These are challenges relevant to everyone.”
However, Tabriz recognises there is a challenge in picking curriculum and notes that there needs to be a broad balance in subjects. “I think we should have more technology emphasis in the curriculum, however we also need to supplement this with free and interesting opportunities to learn, for students of all ages. Raising awareness and understanding of technology is something that can be embedded in fun activities. For me, programming and computer science was interesting because it empowers someone to create something, and do so relatively quickly and cheaply compared to other engineering disciplines. With access to a computer and the Internet, you’re only limited by your ideas and imagination.”
The Gender Gap
In certain parts of the world, computer science and technology is as appealing to women as it is to men. According to a report from Women in Global Science and Technology, Brazil ranks the highest in the world for the overall representation of women in science and technology. This is in part, down to programmes that support women in the workforce, female entrepreneurship and provides good funding for education and research. India and South Africa are two other examples, yet in the US and parts of Europe there are a severe lack of young women going into the industry and studying the discipline.
“There isn’t a clear root to the problem. In my mind, we just need to be trying lots of different things to get more women involved in STEM,” says Tabriz. “We can make the work place a more positive environment today for women by discussing ways to identify and combat sexism and ensure that mothers have the flexibility and support from their co-workers to balance home and work. We also need to be reaching out to younger women and girls by providing scholarships and mentoring those curious about getting involved in STEM, and also help ensure they’re aware of available opportunities by making the contributions from existing women in STEM more visible.”
The motivation behind Tabriz’s comments is backed up by the significant gender gap in the information technology sector. An article in Quartz back in October alluded to the paucity of reliable data on the number of women working in technical roles. In a public Google spreadsheet created by Tracy Chou, a software engineer at Pinterest, data was collected from 84 different tech companies on how many women engineers they employed. The data, while preliminary, and by no means absolute, revealed a growing problem with tech companies employing an average of 12.33% women engineers.
“Selfishly, I’d love to work with more women so that gender wasn’t such a focus of immediate attention, but beyond that I’ve seen an increasing amount of research that shows more gender equality leads to better results”, explains Tabriz. “For example, research has demonstrated that companies with diverse leadership do financially better or that cognitively diverse groups are more innovative. So even if people don’t share the ideal, an increased diversity of perspectives working on any problem will lead to a better solution.”
After doing an internship at a national security lab in the US, post university, Tabriz found her break joining the hacker team at Google as an intern. At Google she secured a role as an engineer, a position she held for five years, before becoming a manager and then moving across to head up Google Chrome’s security team, a year ago. Managing a team of 20 across the globe, her team finds and fixes bugs in software as quickly as they can. They do this by using computational resources to resolve easy problems and humans to work on the tricky complex problems. Through ‘fuzzing’ on (the affectionately named) ‘cluster fuzzing’ – thousands of computers automatically security test Chrome to find bugs – the team is alerted to threats and then can manually assess very sensitive pieces of code.
“Thousands of developers are adding new features and making code changes every day, so we acknowledge there will always be some mistakes introduced,” a frank Tabriz exclaims. “The fact we are testing continuously helps us find and fix the bugs quickly. I’ve been happy to see an attitude shift across industry toward security bugs in the past few years. Companies used to hide bugs or try not to draw attention to them, but now organisations are much more transparent. The current trend is to work with and leverage the broader security community by, for example, hosting vulnerability reward programmes.
Fighting Cyber Crime
Tabriz believes web security has now become even more important with the increased number of people moving their lives online, whether it is for financial management, shopping or interacting with people. This in turn, has created more opportunities for cyber criminals to take advantage of unsuspecting web users. “Whereas 10 years ago, the attackers were exploiting people’s operating systems or servers, now they’re shifting focus to web applications. Identity theft now is much easier – all it takes is a stolen or phished password, and an attacker has direct access to someone’s digital life.”
Through teaching developers on security, she has taught many an individual to first get into the mind-set of a malicious hacker, and only then can the problem be solved and combatted. One scenario she describes is fitting and accessible to all. “We start all our classes by using different non software examples. Take for example a vending machine in the middle of a crowded airport. Think of some ways to get lots of snacks from the machine without using the change in your pocket. Now think of ways to exploit and break the machine. On the flipside, how do you make the machine more secure and defend it against those mischievous thieves?”
And with that simple, yet thoroughly effective antidote, Tabriz leaves the interview on a determined high. “The doom and gloom stories about information security may get the majority of the headlines and people’s attention, but it’s a really positive time with lots of great things being done, we should fully embrace it.”