Source URL: https://cloud.google.com/blog/products/identity-security/google-cloud-expands-cve-program/
Source: Cloud Blog
Title: Google Cloud deepens its commitment to security and transparency with expanded CVE program
Feedly Summary: At Google Cloud, we recognize that helping customers and government agencies keep tabs on vulnerabilities plays a critical role in securing consumers, enterprises, and software vendors.
We have seen the Common Vulnerabilities and Exposure (CVE) system evolve into an essential part of building trust across the IT ecosystem. CVEs can help users of software and services identify vulnerabilities that require action, and they have become a global, standardized tracking mechanism that includes information crucial to identifying and prioritizing each vulnerability.
As part of our continued commitment to security and transparency on vulnerabilities found in our products and services, effective today we will be issuing CVEs for critical Google Cloud vulnerabilities, even when we do not require customer action or patching.
To help users easily recognize that a Google Cloud vulnerability does not require customer action, we will annotate the CVE record with the “exclusively-hosted-service” tag. No action is required by customers in relation to this announcement at this time.
”Transparency and shared action, to learn from and mitigate whole classes of vulnerability, is a vital part of countering bad actors. We will continue to lead and innovate across the community of defenders,” said Phil Venables, CISO, Google Cloud.
aside_block
Our commitment to vulnerability transparency
The Cyber Safety Review Board (CSRB) has found that a lack of a strong commitment to security creates preventable errors and serious breaches, a serious concern for major platform providers who have a responsibility to advance security best practices. We can see why the CSRB emphasized best practices for cloud service providers in its report on Storm-0558 detailing how the APT group used forged authentication tokens to gain access to email accounts for around 25 organizations, including government agencies.
By partnering with the industry through programs including Cloud VRP, and driving visibility on vulnerabilities with CVEs, we believe we are advancing security best practices at scale. CVEs are publicly disclosed and can be used by anyone to track and identify vulnerabilities, which has helped our customers to understand their security posture better. Ultimately, issuing CVEs helps us build your trust in Google Cloud as a secure cloud partner for your enterprise and business needs.
As we noted in our Secure By Design paper, Google has a 20-year history of collaborating with external security researchers, whose independent work discovering vulnerabilities has been helpful to Google. Our vulnerability reporting process encourages direct engagement as part of our community-based approach to addressing security concerns.
This same community-focused journey took us down the path of launching our first CVE Numbering Authority in 2011. Since then, we’ve issued more than 8,000 CVEs across our consumer and enterprise products. We’ve since expanded our partnership with MITRE, and Google became one of their four Top-Level Roots in 2022.
Today’s announcement marks an important step Google Cloud is making to normalize a culture of transparency around security vulnerabilities, and aligns with our shared fate model, in which we work with our customers to continuously improve security.
While the Google Cloud VRP has a specific focus on strengthening Google Cloud products and services, and brings together our engineers with external security researchers to further the security posture for all our customers, CVEs enable us to help our customers and security researchers track publicly-known vulnerabilities.
Cloud CVEs will continue to be published on our Security Bulletins site. You can learn more about the Google Cloud VRP here.
AI Summary and Description: Yes
Summary: Google Cloud is enhancing its commitment to vulnerability transparency by issuing Common Vulnerabilities and Exposures (CVEs) for critical vulnerabilities, even when no customer action is required. This initiative aims to foster trust and improve security practices across the industry, particularly as highlighted by the Cyber Safety Review Board (CSRB).
Detailed Description:
– Google Cloud has recognized the importance of maintaining vigilance over vulnerabilities to protect consumers and organizations.
– The CVE system plays a pivotal role in tracking and prioritizing vulnerabilities across the IT landscape, helping users identify risks that need immediate attention.
– From this point forward, Google Cloud will start issuing CVEs for critical vulnerabilities present in its services, regardless of whether customer action or patching is mandated.
– A new annotation “exclusively-hosted-service” will indicate that no action is required from customers for specific vulnerabilities.
– The emphasis on transparency and shared responsibility is presented as essential in combating cyber threats and instilling trust among customers.
– The CSRB’s report on security lapses emphasizes the need for robust security commitments from cloud providers, outlining the risks associated with inadequate security practices.
– Google Cloud aims to partner with the industry through initiatives like the Cloud Vulnerability Reporting Program (VRP), promoting best practices in security and visibility over vulnerabilities.
– Google’s historical collaboration with external security researchers since 2011 has played a critical role in identifying and addressing vulnerabilities.
– The announcement is positioned as a significant move to promote a culture of transparency regarding security, ensuring customers remain well-informed of potential risks.
– Over the past two decades, Google has collaborated with outlets like MITRE, extending its leadership in the vulnerability disclosure landscape.
* The initiative is expected to:
– Improve customer understanding of their security posture.
– Help build trust in Google Cloud as a secure partner.
– Normalize the practice of transparency regarding vulnerabilities among cloud service providers.
The focus on CVEs as a standardized mechanism presents practical implications for security professionals, making the identification and management of vulnerabilities more streamlined and effective within the cloud domain.