Google’s move to set up Project Zero is very welcome. The infrastructure on which we run our businesses and our lives is showing its fragile nature as each new, successful attack is disclosed. Unfortunately, we all share significant risks, not least because IT tends towards “monoculture”, with only a few major pieces of hardware and software being used most of the time. Organizations use the common equipment because it’s cheaper, because it’s better understood by staff, and because we all tend to do what we see our neighbors doing. These upsides come at a cost, though – it means attackers can find a single defect, and it can open thousands or even millions of doors, as we recently saw with Heartbleed. This situation isn’t likely to change soon, so it’s welcome news whenever there are more eyes on the problem, trying to find and disclose defects before attackers do.
Attacks proliferate rapidly – very rapidly, in a quite robust market for newly found, highly effective vulnerabilities. As they do so, it has become crystal clear that traditional passive, reactive methods of defense are insufficient. Google’s investment underscores the critical importance of proactive analysis of potential attack vectors. Any organization that is not developing a set of defenses from proactive analysis through reactive defenses is leaving the door open to attacks. Defenders need ways to automate – to pick up all the discoveries as they are found by the “good guys”, so they can assess their own risk and keep up with remediation. Recent incidents like Code Spaces and Target make clear that the health of enterprises and the careers of their executives are at stake; just expecting defenses to hold without some way to automate validation is not tenable. Hope is not a strategy.