https://blog.google/technology/safety-security/making-open-source-software-safer-and-more-secure/ Skip to main content The Keyword Making Open Source software safer and more secure Share Twitter Facebook Linkedin Mail Copy link [https://blog.google/] * Latest stories * Product updates Product updates + Android, Chrome & Play o Android o Chrome o Chromebooks o Google Play o Wear OS by Google + Devices & Services o Chromecast o Google Nest o Pixel o Pixelbook o Stadia + Explore & Get Answers o Earth o Google Assistant o Maps o News o Search o Travel + Connect & Communicate o Duo o Photos o Translate + In The Cloud o Docs, Sheets and Slides o Gmail o Google Cloud o Meet o More on the Cloud Blog See all product updates + Android, Chrome & Play o Android o Chrome o Chromebooks o Google Play o Wear OS by Google + Devices & Services o Chromecast o Google Nest o Pixel o Pixelbook o Stadia + Explore & Get Answers o Earth o Google Assistant o Maps o News o Search o Travel + Connect & Communicate o Duo o Photos o Translate + In The Cloud o Docs, Sheets and Slides o Gmail o Google Cloud o Meet o More on the Cloud Blog See all product updates * Company news Company news + Outreach & initiatives o Diversity and inclusion o Education o Google.org o Grow with Google o Sustainability o See all + Technology o AI o Developers o Families o Next billion users o Safety and security o See all + Inside Google o Data centers and infrastructure o Doodles o Googlers o Life at Google o See all + Around the globe o Google in Africa o Google in Asia o Google in Europe o Google in Latin America o See all + Perspectives o Sundar Pichai, CEO o Ruth Porat, SVP and CFO o Kent Walker, SVP o See all + Outreach & initiatives o Diversity and inclusion o Education o Google.org o Grow with Google o Sustainability See all + Technology o AI o Developers o Families o Next billion users o Safety and security See all + Inside Google o Data centers and infrastructure o Doodles o Googlers o Life at Google See all + Around the globe o Google in Africa o Google in Asia o Google in Europe o Google in Latin America See all + Perspectives o Sundar Pichai, CEO o Ruth Porat, SVP and CFO o Kent Walker, SVP See all Subscribe [ ] * Press corner * RSS feed Subscribe The Keyword * Latest stories * Product updates Product updates + Android, Chrome & Play o Android o Chrome o Chromebooks o Google Play o Wear OS by Google + Devices & Services o Chromecast o Google Nest o Pixel o Pixelbook o Stadia + Explore & Get Answers o Earth o Google Assistant o Maps o News o Search o Travel + Connect & Communicate o Duo o Photos o Translate + In The Cloud o Docs, Sheets and Slides o Gmail o Google Cloud o Meet o More on the Cloud Blog See all product updates * Company news Company news + Outreach & initiatives o Diversity and inclusion o Education o Google.org o Grow with Google o Sustainability o See all + Technology o AI o Developers o Families o Next billion users o Safety and security o See all + Inside Google o Data centers and infrastructure o Doodles o Googlers o Life at Google o See all + Around the globe o Google in Africa o Google in Asia o Google in Europe o Google in Latin America o See all + Perspectives o Sundar Pichai, CEO o Ruth Porat, SVP and CFO o Kent Walker, SVP o See all * Press corner * RSS feed Subscribe Safety & Security Making Open Source software safer and more secure Jan 13, 2022 min read Share Twitter Facebook Linkedin Mail Copy link [https://blog.google/] kent walker_2x.jpg Kent Walker President Global Affairs & Chief Legal Officer Google & Alphabet Share Twitter Facebook Linkedin Mail Copy link [https://blog.google/] A map of the United States made up of blue and red 1s and 0s. We welcomed the opportunity to participate in the White House Open Source Software Security Summit today, building on our work with the Administration to strengthen America's collective cybersecurity through critical areas like open source software. Industries and governments have been making strides to tackle the frequent security issues that plague legacy, proprietary software. The recent log4j open source software vulnerability shows that we need the same attention and commitment to safeguarding open source tools, which are just as critical. Open source software code is available to the public, free for anyone to use, modify, or inspect. Because it is freely available, open source facilitates collaborative innovation and the development of new technologies to help solve shared problems. That's why many aspects of critical infrastructure and national security systems incorporate it. But there's no official resource allocation and few formal requirements or standards for maintaining the security of that critical code. In fact, most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, is done on an ad hoc, volunteer basis. For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that "many eyes" were watching to detect and resolve problems. But in fact, while some projects do have many eyes on them, others have few or none at all. At Google, we've been working to raise awareness of the state of open source security. We've invested millions in developing frameworks and new protective tools. We've also contributed financial resources to groups and individuals working on securing foundational open source projects like Linux. Just last year, as part of our $10 billion commitment to advancing cybersecurity, we pledged to expand the application of our Supply chain Levels for Software Artifacts (SLSA or "Salsa") framework to protect key open source components. That includes $100 million to support independent organizations, like the Open Source Security Foundation (OpenSSF), that manage open source security priorities and help fix vulnerabilities. But we know more work is needed across the ecosystem to create new models for maintaining and securing open source software. During today's meeting, we shared a series of proposals for how to do this: Identifying critical projects We need a public-private partnership to identify a list of critical open source projects -- with criticality determined based on the influence and importance of a project -- to help prioritize and allocate resources for the most essential security assessments and improvements. Longer term, we need new ways of identifying software that might pose a systemic risk -- based on how it will be integrated into critical projects -- so that we can anticipate the level of security required and provide appropriate resourcing. Establishing security, maintenance & testing baselines Growing reliance on open source means that it's time for industry and government to come together to establish baseline standards for security, maintenance, provenance, and testing -- to ensure national infrastructure and other important systems can rely on open source projects. These standards should be developed through a collaborative process, with an emphasis on frequent updates, continuous testing, and verified integrity. Fortunately, the software community is off to a running start. Organizations like the OpenSSF are already working across industry to create these standards (including supporting efforts like our SLSA framework). Increasing public and private support Many leading companies and organizations don't recognize how many parts of their critical infrastructure depend on open source. That's why it's essential that we see more public and private investment in keeping that ecosystem healthy and secure. In the discussion today, we proposed setting up an organization to serve as a marketplace for open source maintenance, matching volunteers from companies with the critical projects that most need support. Google stands ready to contribute resources to this effort. Given the importance of digital infrastructure in our lives, it's time to start thinking of it in the same way we do our physical infrastructure. Open source software is a connective tissue for much of the online world -- it deserves the same focus and funding we give to our roads and bridges. Today's meeting at the White House was both a recognition of the challenge and an important first step towards addressing it. We applaud the efforts of the National Security Council, the Office of the National Cyber Director, and DHS CISA in leading a concerted response to cybersecurity challenges and we look forward to continuing to do our part to support that work. POSTED IN: * Safety & Security * Public Policy Related stories * Public Policy How to sustain a safe, thriving app and game ecosystem Policy around app stores should be guided by a few common-sense principles that drive innovation, maintain security and expand user choice. By Kareem Ghanem Dec 10, 2021 * Safety & Security New action to combat cyber crime Google disrupts Glupteba, a sophisticated botnet which targets Windows machines and protects itself using blockchain technology. By Royal Hansen Halimah DeLaine Prado Dec 07, 2021 * Google in Europe An update on our Privacy Sandbox commitments Google submits revised commitments to the CMA for the Privacy Sandbox By William Malcolm Oliver Bethell Nov 26, 2021 * Public Policy Welcoming US-EU collaboration on cybersecurity Welcoming US-EU collaboration on cybersecurity as the United States joins the Paris Call for Trust and Security in Cyberspace. By Annette Kroeber-Riel Nov 11, 2021 * Keyword Blogpost - Header - 2880 x 1200.gif Safety & Security Our work to keep you safe online is never done By Royal Hansen Oct 28, 2021 * Google in Asia Stay safe online ahead of shopping season Ahead of the end-of-year shopping season, we're sharing findings from a survey about online safety in Asia Pacific. By Guemmy Kim Oct 28, 2021 * . ( ) ( ) ( ) ( ) ( ) ( ) [newsletter] Let's stay in touch. Get the latest news from Google in your inbox. Subscribe No thanks Please check your network connection and try again. Close Newsletter Logo The latest news from Google, in your inbox. [ ] First name [ ] Email address Sign up to receive news and other stories from Google. Your information will be used in accordance with Google's privacy policy. You may opt out at any time. Subscribe Google Logo Done! Check your inbox to confirm your subscription. OK, got it Follow Us * * * * * * Privacy * Terms * About Google * Google Products * About the Keyword * Help * [English ]