Google on Tuesday announced Project Zero, an effort to speed up the security bug-fixing process. A team of cybersecurity experts will go after vulnerabilities in any and all software, notify the vendors, and then file bug reports in a public database so users can track the issuance of patches.
The Project Zero team has promised to send bug reports to vendors in as close to real-time as possible, and to work with them to get fixes to users in a reasonable time.
The announcement will shake up software vendors, who are not noted for patching vulnerabilities rapidly; for example, Snapchat for months ignored a security vulnerability brought to its attention and denied knowledge of the flaw when the hacker published details on the Web.
Cybersecurity vendors also will be rattled.
Shake, Rattle and Roll
Google “will start to disrupt the Valley, as they seem to be pivoting hard on security,” John Pirc, chief technology officer at NSS Labs, told TechNewsWorld.
Security vendors are always trying to improve their products, but “the biggest advantage Google has is that it’s the largest search engine provider in the world, and the most common vector of attack is through the Web browser,” Pirc pointed out.
The move “will put pressure on vendors to fix their products, as over time we will all shy away from vendors that don’t fix their bugs quickly,” Pierluigi Stella, CTO of Network Box USA, told TechNewsWorld.
Project Zero’s Aims
Google aims to hire “the best practically minded security researchers to focus solely on improving security across the Internet,” said Researcher Herder Chris Evans.
The team will use standard approaches such as locating and reporting large numbers of vulnerabilities. It also will conduct new research into mitigations, exploitation, program analysis and “anything else that our researchers decide is a worthwhile investment,” he added.
“You should be able to use the Web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” said Evans.
“Yet, in sophisticated attacks, we see the use of zero-day vulnerabilities to target, for example, human rights activists or to conduct industrial espionage,” he pointed out.
“My read of the announcement is that Google’s security team took the NSA surveillance revelations disclosed over the past year personally,” Kyle Kennedy, CTO of Stealthbits Technologies, told TechNewsWorld. This is why it’s hiring researchers to focus on “dangerous vulnerabilities that can be exploited via intelligence agencies, state-sponsored attackers [and] heavily funded attackers.”
Reinventing the Wheel?
Projects with similar goals include Mitre’s CVE structure, while Microsoft and Yahoo have their own bug bounty programs, Ken Bechtel, malware analyst at Tenable Network Security, told TechNewsWorld.
Further, cybersecurity firms already are sharing incidents, exploits and bugs, and many vendors have gotten more proactive in reporting vulnerabilities.
Despite the variety of security industry initiatives, Project Zero “should help drive security best practices and awareness through the IT supply chain,” George Baker, director of professional services at Foreground Security, told TechNewsWorld. “It isn’t just a matter of commercial off-the-shelf software getting more attention; the problem includes the open source technologies that we all depend on.”
The Other Side of Security
On the other hand, patching vulnerabilities and implementing them, “no matter how visible through the efforts of the likes of Google, takes time and effort and does not actually protect sensitive data assets from advanced threats,” Mark Bower, VP of product management and solutions architecture at Voltage Security, told TechNewsWorld.
Endless patching “is expensive, disruptive, and simply an arms race against increasingly sophisticated adversaries exploiting undisclosed weaknesses and social engineering,” Bower said, adding that a defense in-depth strategy is required.