What Can We Learn From Google Zero's Statistics about Flaw Remediation?

We all use certain computer products with their software and different applications installed. We never think about opening the window for cyber attacks as we usually believe the software products are safe enough. During a research Google team has found many vulnerabilities in software used by a great amount of users. After this incident they decided to set up a dedicated team to look for such vulnerabilities and inform the software’s developer about them. This project was called Google Zero. Bugs found by the Project Zero team are reported to the manufacturer and only made publicly visible once a patch has been released or if 90 days have passed without a patch being released. In case the developer’s team finds out about the found vulnerabilities, without having well-prepared bug fixing processes this could cause a big headache to their teams. 

Google Zero, is an elite, internationally-recognized cybersecurity research team. They recently released their statistics on serious vulnerabilities found in the past 3 years. In this article, we will give you an insight into the uncovered statistics.

Besides, we will discuss:

• What is Flaw Remediation?
• Why is it important to design Flaw Remediation Processes?
• What activities and processes Flaw Remediation Process consists of?
• How to effectively design Flaw Remediation Processes?
• Who is CCLab and how can we help you with Flaw Remediation Processes?

Ready? Keep reading!

What Is Google Zero?

Google Zero is a globally-recognized, elite cybersecurity research team. According to their website, Google Zero was formed in 2014 to study “zero-day vulnerabilities” that may occur in hardware or software systems. For nearly ten years, Google’s Project Zero has been working to make it more difficult for bad actors to find and exploit security vulnerabilities, significantly improving the security of the Internet for everyone. They have partnered with industry leaders to transform the way organizations prioritize and approach fixing security vulnerabilities and updating people’s software

‍They aim to make it harder to exploit security vulnerabilities and improve the safety of the web. 

‍

What Statistics Has Google Zero Uncovered?

‍

Google Zero recently released valuable statistics on security vulnerabilities they have found in the past several years that are important to know. 

According to the report, there is a positive change in the number of days to get security issues fixed by vendors. In 2021, it took an average of 52 days to fix security vulnerabilities reported from Project Zero which is a significant acceleration from an average of about 80 days 3 years ago.

On the other hand, there are unsolved issues that are concerning. Based on the report between 2019 and 2021, Google Zero reported 376 issues to vendors under their standard 90-day deadline. 351 (93.4%) of these bugs have been fixed, while 14 (3.7%) have been marked as WontFix by the vendors. The majority of vulnerabilities are clustered around a few vendors:

• 96 bugs (26%) were reported to Microsoft, 
• 85 (23%) to Apple, 
• 60 (16%) to Google.

If you’re an organization that relies on your digital health to run your business, you should be concerned. But, that does not mean there is nothing you can do to address this issue. That is where flaw remediation comes in.

What Is Flaw Remediation process?

Flaw Remediation is an unfairly neglected topic compared to cyber security incidents like Ransomware, Malware, DDoS attacks. Flaw Remediation is a process for fixing or neutralizing discovered flaws. Employees, partners, customers, and authorities demand businesses to implement policies and practices that safeguard data against accidental or deliberate loss and disclosure on a constant and effective basis. Besides, there is zero tolerance for system outages or slowdowns. All in all, dealing with flaw remediation has become a critical task in every business’s life.

There are, of course, some drawbacks and advantages to this process.

What are the Pros and Cons of Flaw Remediation Process Application?

The Pros your company has with Flaw Remediation Processes:

• You will be able to detect outdated third-party libs faster
• You will have a chance to detect and correct more vulnerabilities and flaws, because of more feedback
• The reevaluation could be faster and cheaper
• Without it, you cannot comply with the requirements of ISO/IEC 62443-4, ISO/SAE 21434, MDR, or, ATE and, AVA classes of Common Criteria

The Cons you will be facing with Flaw Remediation Process application:

• It takes longer and is a very complex procedure
• Compliance costs can be high 

Why Is It Important to Design Flaw Remediation Processes?

Now that you know what flaw remediation is, you might be wondering if your business needs its own flaw remediation processes or not. If you already have those in place, then you might be willing to check if they are compliant with the relevant industry legislation or standards or not. Let’s talk about why it is essential and what it does to protect your information:

• Flaw remediation is more efficient restoration management for cyber information. It repairs data and bugs in a shorter time.
• Designing and applying these processes make products’ post-market repairs more cost-effective.
• Using flaw remediation processes ease regulatory and standard compliance inspections.
• With a flaw remediation plan, everyone will know what they are responsible for. There will be less risk of roadblocks when emergencies come up, just like any other emergency preparedness measure.
• Having flaw remediation processes in place is mandatory for companies operating in specific industries due to legal requirements. For example, the medical device manufacturers will have to comply with MDR / IVDR EU regulations and the AI / ML legislation to provide the requirements for artificial intelligence and machine learning solution providers is in a draft state at the moment. 
• Some other industry international standards like ISO/SAE 21434 and IEC 62443-4 also include requirements for flaw remediation, which will affect the automotive industry and other industrial control system providers as well.

What Does a Flaw Remediation Process Consist Of?

Here are some of the fundamental activities that you can expect to see in a solid flaw remediation process: 

• Manage client communication
• Follow and investigate reported flaws
• Ensure the proper remedial measures are taken
• Arrange measures into a streamlined process

When done correctly, everyone will know their role in this process and will be able to act on it.

‍

What are the 4 steps of vulnerability remediation process?

The vulnerability remediation process is a method that corrects or neutralizes discovered defects. The four steps of the process are:

• Find: Detecting flaws through screening and testing
• Prioritize: Recognize which vulnerabilities cause a genuine and severe risk
• Fix: Blocking, fixing, or neutralizing flaws in real-time
• Monitor: Use real-time alerts and notifications to automatically monitor projects and code for newly identified vulnerabilities

Google Zero uses flaw remediation to pinpoint, report, and fix information system flaws. This process is vital to ensuring the safety and health of your website and digital information.

Who Are We?

Our company was founded in 2013 as an agile cybersecurity laboratory. Here at CCLab, we provide services like ISO 15408 Common Criteria evaluation and Common Criteria consultation services. We are a third-party independent accredited CC testing laboratory responsible for assessing software products. 

We also offer Medical Device Cybersecurity, Industrial Control System Security Services, and Automotive cybersecurity solutions. 

We believe that Google Zero is a very important project and can see its benefits from our partner’s point of view.  

How can CCLab Help With Flaw Remediation Processes?

With the help of Google Zero’s findings, our consultants at CCLab can help you design a flaw remediation process that works for you.

No matter where you start this process, we can help. If you don’t have flaw remediation processes in place, we can design them for you and assess the most effective methods. 

We can help you if you already have flaw remediation processes that you want to optimize. We can help measure them against an internationally accepted standard and ensure it is perfect. 

We can also prepare you for regulatory compliance (MDR / IVDR, AI/ML) and/or certification based on industry standards such as ISO/SAE 21434, and ISO/IEC 62443.

Do you have more questions regarding the topic? Get in touch with us!