Project Zero: Enforcing Product Updates
Cybersecurity Trends
Google’s Project Zero has announced a new initiative this week that might encourage companies to update their products more often to keep them more secure! They stated in a post that they would not share the technical details of a vulnerability for 30 days if a vendor patches it before the deadline set by Google. This is a great move that many other companies should adopt. What this does is helps speed up the update time as well as improves vulnerability disclosures.
Why Should Companies Follow Project Zero?
There is frequently a lot of hope that vulnerabilities will just go away or that they will not be found. Unfortunately, this is a highly insecure practice and can lead to massive damages. Sharing details with vendors about vulnerabilities and allowing them time to update ensures that they are aware of the potential dangers and how to fix them. At the end of the day, this benefits the end-user as well, ensuring that their information stays safe. If more companies adopt this policy, it can allow time to react to the news and implement a proper strategy. There will no longer be the excuse of they did not know about it, and it helps create accountability which is very much so needed.
Why Update
When a vulnerability is announced, there is not usually much time to fix the said issue, and the time frame to create a plan of action is shrinking. Updating on a whim can cause problems if not correctly scoped, so giving companies time to make a plan can help prevent future vulnerabilities as well. If companies do not utilize this information, they can be susceptible to the following.
- Man-In-The-Middle Attacks
- Phishing
- Viruses
- Data exfiltration
This initiative has the company and end user’s best intention in mind; threat actors do not wait for good actors to fix their issues, which helps ensure that the defense has proper time to create a plan of action. In the plan of action its important to consider:
- How will this affect existing systems?
- Will we lose productivity?
- When is the best time to perform maintenance?
- Will this lead to other issues?
Upon request, the Maryville Cyber Fusion Center can perform a security audit, determining if you are vulnerable to this and suggest or assist with remediation if vulnerabilities exist. Please reach out to cyber@maryville.edu if you have any questions or concerns relating to these issues.
