Google is throwing its considerable weight behind a proposed U.S. government-led policy framework aimed at shoring up security for open source software, urging the private sector to support the initiative.
The Securing Open Source Software Act introduced in the Senate last month [PDF] is a bipartisan bill that would create a security and risk-mitigation blueprint for the federal government's use of open source software.
"We are glad to see a continued emphasis on the importance of open-source software security from the U.S. government, and we hope that both public and private organizations will follow their lead to promote improved cybersecurity for the ecosystem at large," noted Royal Hansen, engineering vice president for Google’s trust and safety team, in an Oct. 27 blog post.
Open source software code, i.e., the freely available building blocks for applications of all stripes, is fundamentally the engine that drives modern digital enterprise. But malicious cyber activity against the software supply chain has infamously spiraled in the past few quarters, from SolarWinds to Log4Shell to a cornucopia of malicious and poisoned projects and packages popping up in trusted code repositories like npm.
Hansen noted that "seemingly simple questions about the open-source supply chain are still difficult to answer," including:
- Does a project contain known vulnerabilities?
- Are the project’s maintainers and community following security best practices during software development?
- What open source dependencies are part of a particular piece of software?
- How secure was the distribution supply chain?
Google has been actively working on the problem, through initiatives like extending its bug-bounty efforts to open source. The industry has championed approaches like software bills of material (SBOMs) and automated code reviews to help catch vulnerable pieces before they propagate too far across the landscape. Google and other tech giants have also invested millions into nonprofit organizations and software foundations like the Open Source Security Foundation to support open source creators. On the policy side, the US government has embraced SBOMs for agencies, among other moves.
The new federal legislation, if it passes, will encourage more public-private partnership, and bring the public sector to the table in even more meaningful ways, according to the tech behemoth.
"Securing open-source software is a shared responsibility, and we look forward to continued collaboration on this urgent, critical problem," Hansen said.