Google backs call for tighter open source security in aftermath of Log4j

Google Headquarters with Bikes in View
(Image credit: Uladzik Kryhin / Shutterstock)

Google has addressed recent US government calls to crack down on threats related to the Log4j vulnerability, saying it backs the warnings and unveiled how exactly it plans to fight back.

The U.S. Department of Homeland Security (DHS) recently published a report on the Log4j vulnerability, saying it could linger on unpatched endpoints for as long as a decade, and urged the entire industry to unite and tighten up on cybersecurity measures.

“We welcome the U.S. Government’s work to improve the nation’s cybersecurity, including through establishment of the CSRB to review incidents like log4j,” Google said in a blog post.

Building better software

Among other things, the report outlined three things the industry should be doing in the future: driving adoption of best practices; building a better software ecosystem; and making long-term investments in digital security. 

When it comes to driving existing best practices for security hygiene, Google said it will continue keeping security a “cornerstone of our product strategy”, adding that it will commit to sharing its internal frameworks and best practices with others. 

“We partner closely with industry stakeholders to identify and address vulnerabilities in the ecosystem, and share best practices on how to address the latest security threats,” the company said, hoping this information will trigger industry-wide discussion and progress on the security and sustainability of the open-source ecosystem.

As for building a better software ecosystem, Google sees itself as an industry leader, saying it sponsors, creates, and invests in projects and programs that enable everyone to join and contribute to the global open source ecosystem. “We will continue to make open source security a priority and urge others to do the same, because the health and availability of open source projects strengthens the security posture of users and developers everywhere.”

And finally, Google has big plans for future investments. Last year, it announced a $10 billion cybersecurity investment over five years, which includes a $100 million investment in third-party foundations like OpenSSF. 

“We welcome the chance to participate in future review board processes, and look forward to working alongside others to continue to protect the nation’s software supply chain ecosystem,” the announcement concludes. “It’s clear that public and private sector stakeholders learned a great deal from log4j and the report provides an in-depth review of shared challenges and potential solutions. Now, we must act on those learnings to improve the security of the entire ecosystem.”

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.