After attending the recent White House Open Source Software Security Summit (opens in new tab), Google is now calling for a public-private partnership to not only fund but also staff essential open-source projects.
In a new blog post (opens in new tab), president of global affairs and chief legal officer at both Google and Alphabet, Kent Walker laid out the search giant's plans to better secure the open-source software ecosystem.
For too long, businesses and governments have taken comfort in the assumption that open source software (opens in new tab) is generally secure due to its transparent nature. While many believe that more eyes watching can help detect and resolve problems in the open source community, some projects actually don't have many eyes on them while others have few or none at all.
To its credit, Google has been working to raise awareness of the state of open source security and the company has invested millions in developing frameworks and new protective tools. However, the Log4j vulnerability (opens in new tab) and others before it have shown that more work is needed across the ecosystem to develop new models to maintain and secure open source software.
In his blog post, Kent proposes creating a new public-private partnership to identify a list of critical open source projects (opens in new tab) to help prioritize and allocate resources to ensure their security.
In the long term though, new ways of identifying open source software and components that may pose a system risk need to be implemented so that the level of security required can be anticipated and the appropriate resources can be provided.
At the same time, security, maintenance and testing baselines need to be established across both the public and private sector. This will help ensure that national infrastructure (opens in new tab) and other important systems can continue to rely on open source projects. These standards also should be developed through a collaborative process according to Kent with an “emphasis on frequent updates, continuous testing and verified integrity”. Fortunately, the software community has already started this work with organizations like OpenSFF (opens in new tab) working across industry to create these standards.
Now that Google has weighed in on the issue of open source security, expect other tech giants like Microsoft and Apple to propose their own ideas regarding the matter.