Article

Exposing flaws to aid security

Google's Android mobile operating system has topped a 50-strong list of products with the most discovered vulnerabilities in 2016, but the news isn't as damning as it at first appears.

While on the face of things, Google's position at the top of the Common Vulnerabilities and Exposures (CVEs) data table may be concerning for Android users, in actual fact the number of CVEs assigned to Android in 2016 is more likely a symptom of Google being proactive in identifying and resolving security issues that affect its products and ought to be a reassuring sign.

To support the identification of such a large quantity of security vulnerabilities (523 distinct coding flaws were identified) requires a great deal of effort and Google has done this effectively by engaging with the community. Only by identifying vulnerabilities can Google go about resolving them and they have done this on a large scale. Indeed, we should be more concerned by companies who are not assigning CVEs and question what security assurance activities they are undertaking.

Google is a large advocate of bug bounty programs, where it pays out and provides recognition for reporting bugs, especially those pertaining to exploits and vulnerabilities. Bug bounty programs can serve to help better secure products and, in this case, will have been a key catalyst in the number of CVEs we see today. Vulnerability hunters are now aware that by disclosing their discoveries to Google they will receive a financial reward and public recognition. This is obviously preferable to vulnerability hunters choosing not to report the issues and therefore increases the likelihood of the issue being exploited with malicious intent in the wild.

Google's own Project Zero team comprises experienced security researchers, whose primary task is to find bugs, break systems and publish detailed notes on how vulnerabilities have been discovered and exploited to the benefit of the security community. As a result, Google’s security contributions extend beyond simply its own products to include also the products that its customers use. To extrapolate from the CVE data that Google is doing poorly with regards to security is clearly too simplistic a view.

 

 

Accreditations

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
As a Certified Simulated Attack Manager and Certified Simulated Attack Specialist, MWR are authorized by CREST to perform STAR penetration testing services.