Google Proposes "Know, Prevent, Fix" Framework For Dealing With Security Vulnerabilities
Written by Michael Larabel in Linux Security on 3 February 2021 at 12:29 PM EST. 38 Comments
LINUX SECURITY --
Google engineers are proposing a new framework called "Know, Prevent, Fix" in dealing with open-source security vulnerabilities.

Google is hoping the industry will get behind their "Know, Prevent, Fix" framework in dealing with open-source security issues. The effort is around metadata and identity standards, new development processes to ensure sufficient code review for critical pieces of the infrastructure, and similar efforts.

The framework focuses on knowing about vulnerabilities in software, preventing the addition of new vulnerabilities, and fixing or removing vulnerabilities. Some concrete items include having a standard schema for accessing the multiple vulnerability databases, accurate tracking of software dependencies, understanding security risks of using new dependencies in your software, and proper notifications to relevant parties to speed-up the addressing of found vulnerabilities. Google is also suggesting no unilateral changes to "critical software" but ensuring code involved is looked over by an author and a reviewer/approver to limit the impact of any single individual.

Those wanting to learn more about Google's "Know, Prevent, Fix" proposal can read their initial thoughts/plans via the Google Open-Source Blog.
Related News
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Popular News This Week