Google Introduces New Cybersecurity Initiatives to Improve Vulnerability Management

On Thursday, Google unveiled a range of new cybersecurity initiatives aimed at enhancing the vulnerability management ecosystem and promoting greater transparency around exploitation.

“While the notoriety of zero-day vulnerabilities typically makes headlines, risks remain even after they’re known and fixed, which is the real story,” the business stated. “These risks include everything from OEM adoption lag time to patch testing pain points to end user update issues and more.”

Incomplete vendor fixes can also pose a significant security risk, as many zero-day exploits turn out to be mere variations of previously patched vulnerabilities.

To fully address vulnerabilities and reduce the risk of cyberattacks, it’s not enough to simply patch known issues as they arise. Instead, we must focus on identifying and addressing the underlying causes of vulnerabilities, such as poor coding practices or outdated software libraries and prioritize contemporary secure software development methods.

 

Google announced the formation of a Hacking Policy Council with Bugcrowd, HackerOne, Intel, Intigriti, and Luta Security to “ensure new policies and regulations support best practices for vulnerability management and disclosure.”

In addition, the company has pledged to publicly disclose any instances of active exploitation of vulnerabilities across its product portfolio as part of its ongoing commitment to transparency and security.

To further support and encourage good-faith security research, Google has announced the creation of a Security Research Legal Defense Fund. This fund will provide seed funding for legal representation to individuals who uncover and report vulnerabilities in a responsible and ethical manner, with the aim of promoting cybersecurity and protecting the interests of researchers.

According to the company, the ultimate goal is to break free from the “doom loop” of constantly patching vulnerabilities and mitigating threats by “focusing on the fundamentals of secure software development, good patch hygiene, and designing for security and ease of patching from the start.”

Google’s latest security initiatives highlight the importance of taking a proactive approach to cybersecurity, focusing on preventing exploitation from the outset, promoting timely patch adoption for known vulnerabilities, establishing policies to address product life cycles, and keeping users informed about any active exploitation of products.

It also emphasizes the significance of implementing secure-by-design concepts across the software development lifecycle.

The announcement coincides with the launch of the deps.dev API by Google, which aims to enhance the security of the software supply chain. This free API service provides access to security metadata and dependency information for over 50 million versions of five million open-source packages available on major repositories such as Go, Maven, PyPI, npm, and Cargo.

In related news, Google’s cloud division has announced that the Assured Open Source Software (Assured OSS) service is now widely available for both the Java and Python ecosystems.