Merrill said that Google engages in rigorous examination of the underlying code in its products to eliminate potential vulnerabilities both during their production and after the tools have gone live.
He said that by fostering open communication with security researchers, white hat hackers, and other technology providers and encouraging responsible disclosure of any problems, the company has been able to head off attacks that could be aimed at its products.
Google currently employs over 1,000 engineers whose responsibilities include testing for holes in its software and has built proprietary code-scanning tools, he said while acknowledging that the threat of attacks is a reality that no firm can write off in today's environment.
"The reality of the world is that Web applications have a larger attack surface and that client-based technologies have been around a lot longer and still struggle with security issues, but we have a big advantage in that if a problem is found, we can fix it right away on our servers versus trying to send patches out to all of our users," Merrill said. "That doesn't mean we will find all the issues. Security is a constantly changing field, but we're happy with the progress we've made."
Merrill contends that Google's products actually represent a significant advantage over other technologies in terms of security and that they have proven useful in helping companies solve and locate data management problems.
Google's Search Appliances and Desktop products are useful in helping companies find data that may be stored or used improperly within corporate systems, for instance, and its Apps tools require users to authenticate themselves before they are given access to shared documents, adding a new layer of protection to collaborative business efforts, he said.
Through its Google Security Blog and participation in Stopbadware.org -- a malware research effort launched in cooperation with experts at Harvard University Law School, among others -- the CIO said that the company is keeping customers informed of its ongoing work and staying abreast of the latest attack methods.
"As companies get more widely-known they provide a larger attack surface, but we hope we will continue to maintain our close relationships with security researchers, and we will continue to invest in research and development to protect data as our tools get more popular," Merrill said. "We don't feel that the published risks have been too severe, but we will continue to focus on finding and fixing any problems."
Industry analysts agreed that Google has done well thus far in protecting its users from major product vulnerabilities and attacks but observed that the company must learn from the mistakes of companies such as Microsoft if it is to retain its positive image.
Google is in the same position of any dominant technology provider in terms of potential attack and will need to remain open to criticism and stay aggressive in quashing potential problems if it is to maintain that standing, said Paul Stamp, analyst for Forrester Research.
"Google has to learn from Microsoft's mistake of avoiding talk about security issues based on the idea that it will embolden the people trying to take advantage of any vulnerabilities," Stamp said. "If they think that there aren't people out there who know their products as well as they do or who can't exploit any existing problems, that would be a mistake."
The analyst lauded Merrill's pledge to remain open about potential security issues and to court the help of researchers versus making them feel like adversaries.
"Google needs to be transparent and be forward-thinking and use the community to find bugs before even they can find them for themselves," said Stamp. "It's a matter of saying, 'These are the types of attacks we expect to see,' and challenging the research community to go find the bugs first."