Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Google Trumpets US Federal Open Source Security Initiative

Google is throwing its considerable weight behind a proposed U.S. government-led policy framework aimed at shoring up security for open source software, urging the private sector to support the initiative.

The Securing Open Source Software Act introduced in the Senate last month [PDF] is a bipartisan bill that would create a security and risk-mitigation blueprint for the federal government’s use of open source software.

“We are glad to see a continued emphasis on the importance of open-source software security from the U.S. government, and we hope that both public and private organizations will follow their lead to promote improved cybersecurity for the ecosystem at large,” noted Royal Hansen, engineering vice president for Google’s trust and safety team, in an Oct. 27 blog post.

Open source software code, i.e., the freely available building blocks for applications of all stripes, is fundamentally the engine that drives modern digital enterprise. But malicious cyber activity against the software supply chain has infamously spiraled in the past few quarters, from SolarWinds to Log4Shell to a cornucopia of malicious and poisoned projects and packages popping up in trusted code repositories like npm.

Hansen noted that “seemingly simple questions about the open-source supply chain are still difficult to answer,” including:

  • Does a project contain known vulnerabilities?
  • Are the project’s maintainers and community following security best practices during software development?
  • What open source dependencies are part of a particular piece of software?
  • How secure was the distribution supply chain?

Google has been actively working on the problem, through initiatives like extending its bug-bounty efforts to open source. The industry has championed approaches like software bills of material (SBOMs) and automated code reviews to help catch vulnerable pieces before they propagate too far across the landscape. Google and other tech giants have also invested millions into nonprofit organizations and software foundations like the Open Source Security Foundation to support open source creators. On the policy side, the US government has embraced SBOMs for agencies, among other moves.

The new federal legislation, if it passes, will encourage more public-private partnership, and bring the public sector to the table in even more meaningful ways, according to the tech behemoth.

“Securing open-source software is a shared responsibility, and we look forward to continued collaboration on this urgent, critical problem,” Hansen said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.


Related News

Researcher create polymorphic Blackmamba malware with ChatGPT

Researcher create polymorphic Blackmamba malware with ChatGPT

The malware can target Windows, macOS and Linux devices. HYAS Institute researcher and cybersecurity expert, Jeff Sims, has developed a…
Owner of Breach Forums Pompompurin Arrested in New York

Owner of Breach Forums Pompompurin Arrested in New York

Pompompurin has been charged with a single count of conspiracy to commit access device fraud. Conor Brian Fitzpatrick (aka Pompompurin,…
New Vishing Attack Spreading FakeCalls Android Malware

New Vishing Attack Spreading FakeCalls Android Malware

The attack scheme begins with the FakeCalls malware masquerading as an online banking application of a reputable South Korean financial…