Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
A bipartisan bill aims to create a usable framework for the use of open source components when building applications, which Google is urging the private sector to support.
2 Min Read
Source: tippapatt via Adobe Stock
Google is throwing its considerable weight behind a proposed U.S. government-led policy framework aimed at shoring up security for open source software, urging the private sector to support the initiative.
The Securing Open Source Software Act introduced in the Senate last month [PDF] is a bipartisan bill that would create a security and risk-mitigation blueprint for the federal government's use of open source software.
"We are glad to see a continued emphasis on the importance of open-source software security from the U.S. government, and we hope that both public and private organizations will follow their lead to promote improved cybersecurity for the ecosystem at large," noted Royal Hansen, engineering vice president for Google’s trust and safety team, in an Oct. 27 blog post.
Open source software code, i.e., the freely available building blocks for applications of all stripes, is fundamentally the engine that drives modern digital enterprise. But malicious cyber activity against the software supply chain has infamously spiraled in the past few quarters, from SolarWinds to Log4Shell to a cornucopia of malicious and poisoned projects and packages popping up in trusted code repositories like npm.
Hansen noted that "seemingly simple questions about the open-source supply chain are still difficult to answer," including:
Does a project contain known vulnerabilities?
Are the project’s maintainers and community following security best practices during software development?
What open source dependencies are part of a particular piece of software?
How secure was the distribution supply chain?
Google has been actively working on the problem, through initiatives like extending its bug-bounty efforts to open source. The industry has championed approaches like software bills of material (SBOMs) and automated code reviews to help catch vulnerable pieces before they propagate too far across the landscape. Google and other tech giants have also invested millions into nonprofit organizations and software foundations like the Open Source Security Foundation to support open source creators. On the policy side, the US government has embraced SBOMs for agencies, among other moves.
The new federal legislation, if it passes, will encourage more public-private partnership, and bring the public sector to the table in even more meaningful ways, according to the tech behemoth.
"Securing open-source software is a shared responsibility, and we look forward to continued collaboration on this urgent, critical problem," Hansen said.
About the Author(s)
You May Also Like
More Insights
Webinars
The fuel in the new AI race: Data
April 23, 2024Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024
Events
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024
