- Google announced that the company will participate in the development of the report by sharing information.
- The tech giant has spent $7.5 million on open-source security efforts in 2021.
- Google introduced Open Source Insights, designed to list and visualize projects’ dependencies and their properties.
The U.S. Department of Homeland Security announced that the Cyber Safety Review Board published its first report on the log4j software library vulnerabilities. Google stated that it will participate in the development of the CSRB report. The tech giant will share its experience to address the report’s recommendations.
Open-source security improvements
Google will focus on supporting others in the industry to increase open-source security, including:
- Driving adoption of best practices
- Building a better software ecosystem
- Making long-term investments in digital security
Google started the OpenSSF Alpha-Omega and SOS projects to help open-source projects improve their security posture.
Google aims to kick off an industry-wide discussion by sharing this information and making progress on the security and sustainability of the ecosystem. Google is a contributor to Open Source Security Foundation’s guide on coordinated vulnerability disclosure for open-source projects. Google also helped establish Security Scorecards for Open source in partnership with OpenSSF. It aims to automate the evaluation of security in open source solutions.
Google also introduced Open Source Insights in 2021. It is designed to list and visualize a project’s dependencies and their properties. Open Source Insights team reported more than 35,000 impacted Java packages when log4j broke. The team also compiled a list that includes 500 affected packages to help with patching and remediation solutions.
Google started the OpenSSF Alpha-Omega and SOS projects that aim to enhance the security posture of the open-source projects by directly funding efforts. It includes hiring professionals, conducting security audits, and providing assistance in incorporating security tools. In 2021, the company has spent $7.5 million on various open-source security efforts. Google said,
« As the report points out, our work on log4j continues. We applaud the Board’s recognition that public and private sector stakeholders need to make significant investments for the future to improve the nation’s digital security over the long term. At Google, we are committed to doing our part. For example, last year, we announced that we will invest $10 billion over the next five years to strengthen cybersecurity, including helping secure the software supply chain and enhancing open-source security. This includes $100 million to support third-party foundations like OpenSSF that manage open source security priorities and help fix vulnerabilities.
We welcome the chance to participate in future review board processes, and look forward to working alongside others to continue to protect the nation’s software supply chain ecosystem. It’s clear that public and private sector stakeholders learned a great deal from log4j and the report provides an in-depth review of shared challenges and potential solutions. Now, we must act on those learnings to improve the security of the entire ecosystem. »