fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Google Project Zero: Vendors are Now Quicker at Fixing Zero-days

Google Project Zero: Vendors are Now Quicker at Fixing Zero-days

Google’s Project Zero has published a report showing that organizations took less time to address the zero-day vulnerabilities that the team reported last year.

As the data shows, the average period software vendors needed to issue security fixes reported by Project Zero last year was 52 days, down from 80 days three years ago.

Moreover, almost all vendors addressed the flaw within the standard industry deadline of 90 days, plus a grace period of two weeks.

Also Read: Vulnerability Assessment vs Penetration Testing: And Why You Need Both

Flaws you can’t ignore

Zero-day vulnerabilities are security issues unknown to the software developer at the time of their discovery or are known but haven’t been patched.

They typically offer hackers a window of opportunity even after a patch becomes available because not everyone can fix the problem immediately.

As such, responding to zero-day vulnerability reports quickly is of utmost importance and it also demonstrates how serious software vendors are about the security of their products, how efficient they are with the development cycle.

For security analysts who discover them, the period of disclosure cannot be extended indefinitely, as there’s always a chance they were not the first to find out about them.

The zero-day landscape

According to 2019-2021 stats based on 376 zero-day findings and reports from Project Zero, 26% concern Microsoft, 23% Apple, and 16% Google.

These three software giants account for 65% of the total findings, reflecting the complexity and high volume of their software products, inevitably creating gaps or dark spots for their otherwise crowded and capable security teams.

Zero-day fixing stats from 2021
Zero-day fixing stats from 2019-2021 (Google)

The best performers in terms of patching within the deadline were Linux, Mozilla, and Google, while the worst were Oracle, Microsoft, and Samsung. Microsoft also had the most fixes within the grace period, marginally pushing them right before they were made public.

In the highly competitive field of mobile OS, Google reports the same performance from both iOS and Android, with the former having an average fix time of 70 days, with the latter needing 72 days.

Also Read: When to Appoint a Data Protection Officer

In the web browser category, Chrome beats everyone with an average bug-fixing period of 29.9 days, while Firefox comes second with 37.8 days.

Browser fix performance
Browser zero-day fix performance (Google)

Apple took more than double that time to fix WebKit flaws, which have been plaguing Safari in the past couple of years, needing an average of 72.7 days.

Diagram illustrating the patching difference in terms of time
Diagram illustrating the patching difference in terms of time (Google)

As Google’s Project Zero team comments in the report

WebKit is the outlier in this analysis, with the longest number of days to release a patch at 73 days. Their time to land the fix publicly is in the middle between Chrome and Firefox, but unfortunately this leaves a very long amount of time for opportunistic attackers to find the patch and exploit it prior to the fix being made available to users.

In conclusion, Google’s security analysts have recognized some clear marks of improvement, but vendors can and should do more in the future as adversaries are keeping an eye out for bug reports for a chance to find a new attack avenue.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us