min reading time
We all use certain computer products with their software and different applications installed. We never think about opening the window for cyber attacks as we usually believe the software products are safe enough. During a research Google team has found many vulnerabilities in software used by a great amount of users. After this incident they decided to set up a dedicated team to look for such vulnerabilities and inform the software’s developer about them. This project was called Google Zero. Bugs found by the Project Zero team are reported to the manufacturer and only made publicly visible once a patch has been released or if 90 days have passed without a patch being released. In case the developer’s team finds out about the found vulnerabilities, without having well-prepared bug fixing processes this could cause a big headache to their teams.
Google Zero, is an elite, internationally-recognized cybersecurity research team. They recently released their statistics on serious vulnerabilities found in the past 3 years. In this article, we will give you an insight into the uncovered statistics.
Besides, we will discuss:
Ready? Keep reading!
Google Zero is a globally-recognized, elite cybersecurity research team. According to their website, Google Zero was formed in 2014 to study “zero-day vulnerabilities” that may occur in hardware or software systems. For nearly ten years, Google’s Project Zero has been working to make it more difficult for bad actors to find and exploit security vulnerabilities, significantly improving the security of the Internet for everyone. They have partnered with industry leaders to transform the way organizations prioritize and approach fixing security vulnerabilities and updating people’s software
They aim to make it harder to exploit security vulnerabilities and improve the safety of the web.
Google Zero recently released valuable statistics on security vulnerabilities they have found in the past several years that are important to know.
According to the report, there is a positive change in the number of days to get security issues fixed by vendors. In 2021, it took an average of 52 days to fix security vulnerabilities reported from Project Zero which is a significant acceleration from an average of about 80 days 3 years ago.
On the other hand, there are unsolved issues that are concerning. Based on the report between 2019 and 2021, Google Zero reported 376 issues to vendors under their standard 90-day deadline. 351 (93.4%) of these bugs have been fixed, while 14 (3.7%) have been marked as WontFix by the vendors. The majority of vulnerabilities are clustered around a few vendors:
If you’re an organization that relies on your digital health to run your business, you should be concerned. But, that does not mean there is nothing you can do to address this issue. That is where flaw remediation comes in.
Flaw Remediation is an unfairly neglected topic compared to cyber security incidents like Ransomware, Malware, DDoS attacks. Flaw Remediation is a process for fixing or neutralizing discovered flaws. Employees, partners, customers, and authorities demand businesses to implement policies and practices that safeguard data against accidental or deliberate loss and disclosure on a constant and effective basis. Besides, there is zero tolerance for system outages or slowdowns. All in all, dealing with flaw remediation has become a critical task in every business’s life.
There are, of course, some drawbacks and advantages to this process.
The Pros your company has with Flaw Remediation Processes:
The Cons you will be facing with Flaw Remediation Process application:
Now that you know what flaw remediation is, you might be wondering if your business needs its own flaw remediation processes or not. If you already have those in place, then you might be willing to check if they are compliant with the relevant industry legislation or standards or not. Let’s talk about why it is essential and what it does to protect your information:
Here are some of the fundamental activities that you can expect to see in a solid flaw remediation process:
When done correctly, everyone will know their role in this process and will be able to act on it.
The vulnerability remediation process is a method that corrects or neutralizes discovered defects. The four steps of the process are:
Google Zero uses flaw remediation to pinpoint, report, and fix information system flaws. This process is vital to ensuring the safety and health of your website and digital information.
Our company was founded in 2013 as an agile cybersecurity laboratory. Here at CCLab, we provide services like ISO 15408 Common Criteria evaluation and Common Criteria consultation services. We are a third-party independent accredited CC testing laboratory responsible for assessing software products.
We believe that Google Zero is a very important project and can see its benefits from our partner’s point of view.
With the help of Google Zero’s findings, our consultants at CCLab can help you design a flaw remediation process that works for you.
No matter where you start this process, we can help. If you don’t have flaw remediation processes in place, we can design them for you and assess the most effective methods.
We can help you if you already have flaw remediation processes that you want to optimize. We can help measure them against an internationally accepted standard and ensure it is perfect.
We can also prepare you for regulatory compliance (MDR / IVDR, AI/ML) and/or certification based on industry standards such as ISO/SAE 21434, and ISO/IEC 62443.
Do you have more questions regarding the topic? Get in touch with us!
Download our ETSI EN 303 635 infographics today and learn about the product certification process for this consumer IoT device cybersecurity standard.
In the cybersecurity landscape, the Common Criteria Evaluation Assurance Level (EAL) is a critical factor in determining the security posture of a product. The EAL chosen for a product can significantly impact its security measures, evaluation processes, and user trust. This article delves into the importance of selecting the right EAL and the consequences of misjudgment and provides a step-by-step guide to aid in this crucial decision-making process.
min reading time
Ensuring the trustworthiness of IT products and systems is essential for users and the broader digital ecosystem. One critical aspect of this assurance comes from the evaluation and certification processes defined by the Common Criteria Protection Profile (CC PP) library. In this article, we delve into the significance of Protection Profiles in the certification process and explore some of the most common profiles contributing to information security's robustness.
min reading time
The annual International Conference on Common Criteria (ICCC) stands as a high-level technical conference. Celebrating its 21st year, this event provides a platform for professional networking and discussion forums on CC policy and implementation for those involved in the specification, development, assessment, certification, and validation of IT security for products and systems.
min reading time