5
min reading time
We all use certain computer products with their software and different applications installed. We never think about opening the window for cyber attacks as we usually believe the software products are safe enough. During a research Google team has found many vulnerabilities in software used by a great amount of users. After this incident they decided to set up a dedicated team to look for such vulnerabilities and inform the software’s developer about them. This project was called Google Zero. Bugs found by the Project Zero team are reported to the manufacturer and only made publicly visible once a patch has been released or if 90 days have passed without a patch being released. In case the developer’s team finds out about the found vulnerabilities, without having well-prepared bug fixing processes this could cause a big headache to their teams.
Google Zero, is an elite, internationally-recognized cybersecurity research team. They recently released their statistics on serious vulnerabilities found in the past 3 years. In this article, we will give you an insight into the uncovered statistics.
Besides, we will discuss:
Ready? Keep reading!
Google Zero is a globally-recognized, elite cybersecurity research team. According to their website, Google Zero was formed in 2014 to study “zero-day vulnerabilities” that may occur in hardware or software systems. For nearly ten years, Google’s Project Zero has been working to make it more difficult for bad actors to find and exploit security vulnerabilities, significantly improving the security of the Internet for everyone. They have partnered with industry leaders to transform the way organizations prioritize and approach fixing security vulnerabilities and updating people’s software
They aim to make it harder to exploit security vulnerabilities and improve the safety of the web.
Google Zero recently released valuable statistics on security vulnerabilities they have found in the past several years that are important to know.
According to the report, there is a positive change in the number of days to get security issues fixed by vendors. In 2021, it took an average of 52 days to fix security vulnerabilities reported from Project Zero which is a significant acceleration from an average of about 80 days 3 years ago.
On the other hand, there are unsolved issues that are concerning. Based on the report between 2019 and 2021, Google Zero reported 376 issues to vendors under their standard 90-day deadline. 351 (93.4%) of these bugs have been fixed, while 14 (3.7%) have been marked as WontFix by the vendors. The majority of vulnerabilities are clustered around a few vendors:
If you’re an organization that relies on your digital health to run your business, you should be concerned. But, that does not mean there is nothing you can do to address this issue. That is where flaw remediation comes in.
Flaw Remediation is an unfairly neglected topic compared to cyber security incidents like Ransomware, Malware, DDoS attacks. Flaw Remediation is a process for fixing or neutralizing discovered flaws. Employees, partners, customers, and authorities demand businesses to implement policies and practices that safeguard data against accidental or deliberate loss and disclosure on a constant and effective basis. Besides, there is zero tolerance for system outages or slowdowns. All in all, dealing with flaw remediation has become a critical task in every business’s life.
There are, of course, some drawbacks and advantages to this process.
The Pros your company has with Flaw Remediation Processes:
The Cons you will be facing with Flaw Remediation Process application:
Now that you know what flaw remediation is, you might be wondering if your business needs its own flaw remediation processes or not. If you already have those in place, then you might be willing to check if they are compliant with the relevant industry legislation or standards or not. Let’s talk about why it is essential and what it does to protect your information:
Here are some of the fundamental activities that you can expect to see in a solid flaw remediation process:
When done correctly, everyone will know their role in this process and will be able to act on it.
The vulnerability remediation process is a method that corrects or neutralizes discovered defects. The four steps of the process are:
Google Zero uses flaw remediation to pinpoint, report, and fix information system flaws. This process is vital to ensuring the safety and health of your website and digital information.
Our company was founded in 2013 as an agile cybersecurity laboratory. Here at CCLab, we provide services like ISO 15408 Common Criteria evaluation and Common Criteria consultation services. We are a third-party independent accredited CC testing laboratory responsible for assessing software products.
We also offer Medical Device Cybersecurity, Industrial Control System Security Services, and Automotive cybersecurity solutions.
We believe that Google Zero is a very important project and can see its benefits from our partner’s point of view.
With the help of Google Zero’s findings, our consultants at CCLab can help you design a flaw remediation process that works for you.
No matter where you start this process, we can help. If you don’t have flaw remediation processes in place, we can design them for you and assess the most effective methods.
We can help you if you already have flaw remediation processes that you want to optimize. We can help measure them against an internationally accepted standard and ensure it is perfect.
We can also prepare you for regulatory compliance (MDR / IVDR, AI/ML) and/or certification based on industry standards such as ISO/SAE 21434, and ISO/IEC 62443.
Do you have more questions regarding the topic? Get in touch with us!
This downloadable infographics introduces the Common Criteria Evaluation process to you. Explore now for free.
Read and learn more about the Radio Equipment Directive (RED), download our free material now.
Download our ETSI EN 303 635 infographics today and learn about the product certification process for this consumer IoT device cybersecurity standard.
The EUCC scheme, spearheaded by the European Union Agency for Cybersecurity (ENISA), was released in early 2024. It builds on the SOG-IS Common Criteria evaluation framework already used by 17 EU Member States.
7
min reading time
ICT (Information and Communication Technology) products, encompassing a wide range of digital devices and software, are inherently vulnerable due to their complexity and the ever-present potential for undiscovered security flaws. The interconnected nature of these products further amplifies the risk, as a single vulnerability can lead to widespread security breaches across networks and systems. To mitigate these risks, the strategic integration of cybersecurity certification requirements in ICT products has become paramount.
8
min reading time
The new Common Criteria Scheme, called the European Cybersecurity Certification Scheme (EUCC), is essential for harmonizing high-security cybersecurity certification of ICT products across EU member states. It facilitates mutual recognition of certifications, supports innovation, and ensures compliance with legal requirements. Fully effective from February 2025, the EUCC aims to provide a unified and robust framework for evaluating IT products, boosting consumer trust, and fostering a more secure digital environment.
10
min reading time