Parisa Tabriz loves making and designing things. Sometimes, that desire manifests itself through physical arts and crafts; other times, it’s expressed through code.
In college, she found a creative outlet through web development, since it was easier and cheaper than buying art supplies. When somebody hacked one of her sites, she joined a local information security and hacking club to figure out how. From there, she never looked back.
Click here for complete coverage of SC Media's 2020 Women in IT Security
“I love working in security because it’s a really interdisciplinary field,” said Tabriz, who also goes by the job title “Security Princess.” “You not only need to understand how technology is built – and can be broken – but also the motivations and psychology of humans and their interactions with technology.”
Now director of engineering at Google, Tabriz leads two extremely important initiatives for the tech behemoth.
First, she oversees Chrome, the popular browser used by millions of people around the world, updating the browser’s design, responding to feedback from users and building in the latest security features. She also helps ensure that Chrome operates smoothly across different devices and products, something that requires a lot of testing and tinkering.
“There’s been lots of challenges over the years, especially as we’ve adapted Chrome to take advantage of capabilities on a powerful desktop machine with high-speed internet access while also still working great on a low-end phone used in bad network conditions,” said Tabriz.
Second, she runs Project Zero, a team of Google security researchers tasked with finding some of the most dangerous, impactful cybersecurity vulnerabilities in the world. That approach has led to some high-profile impacts: it was Tabriz’s team that helped discover Meltdown and Spectre in 2018, a pair of processor chip vulnerabilities that can’t be easily patched or mitigated and existed in most common computing devices.
Her team doesn’t just find bad bugs: they do in-depth research spelling out exactly how attackers might weaponize and exploit them against potential victims for the benefit of blue team defenders.
“Our strategy is to build a practical offensive security research pipeline to advance the broad understanding of software and system exploitation among defenders, which ultimately leads to structural improvements and better end-user security for everyone,” said Tabriz. “In terms of focus, the team considers attacker and technology trends alongside their personal expertise and instincts when picking and prioritizing targets. The goal is always to have the most structural defensive impact.”