We welcomed the opportunity to participate in the White House Open Source Software Security Summit today, building on our work with the Administration to strengthen America’s collective cybersecurity through critical areas like open source software.
Industries and governments have been making strides to tackle the frequent security issues that plague legacy, proprietary software. The recent log4j open source software vulnerability shows that we need the same attention and commitment to safeguarding open source tools, which are just as critical.
Open source software code is available to the public, free for anyone to use, modify, or inspect. Because it is freely available, open source facilitates collaborative innovation and the development of new technologies to help solve shared problems. That’s why many aspects of critical infrastructure and national security systems incorporate it. But there’s no official resource allocation and few formal requirements or standards for maintaining the security of that critical code. In fact, most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, is done on an ad hoc, volunteer basis.
For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that “many eyes” were watching to detect and resolve problems. But in fact, while some projects do have many eyes on them, others have few or none at all.
At Google, we’ve been working to raise awareness of the state of open source security. We’ve invested millions in developing frameworks and new protective tools. We’ve also contributed financial resources to groups and individuals working on securing foundational open source projects like Linux. Just last year, as part of our $10 billion commitment to advancing cybersecurity, we pledged to expand the application of our Supply chain Levels for Software Artifacts (SLSA or “Salsa”) framework to protect key open source components. That includes $100 million to support independent organizations, like the Open Source Security Foundation (OpenSSF), that manage open source security priorities and help fix vulnerabilities.
But we know more work is needed across the ecosystem to create new models for maintaining and securing open source software. During today’s meeting, we shared a series of proposals for how to do this:
Identifying critical projects
We need a public-private partnership to identify a list of critical open source projects — with criticality determined based on the influence and importance of a project — to help prioritize and allocate resources for the most essential security assessments and improvements.
Longer term, we need new ways of identifying software that might pose a systemic risk — based on how it will be integrated into critical projects — so that we can anticipate the level of security required and provide appropriate resourcing.
Establishing security, maintenance & testing baselines
Growing reliance on open source means that it’s time for industry and government to come together to establish baseline standards for security, maintenance, provenance, and testing — to ensure national infrastructure and other important systems can rely on open source projects. These standards should be developed through a collaborative process, with an emphasis on frequent updates, continuous testing, and verified integrity.
Fortunately, the software community is off to a running start. Organizations like the OpenSSF are already working across industry to create these standards (including supporting efforts like our SLSA framework).
Increasing public and private support
Many leading companies and organizations don’t recognize how many parts of their critical infrastructure depend on open source. That’s why it’s essential that we see more public and private investment in keeping that ecosystem healthy and secure. In the discussion today, we proposed setting up an organization to serve as a marketplace for open source maintenance, matching volunteers from companies with the critical projects that most need support. Google stands ready to contribute resources to this effort.
Given the importance of digital infrastructure in our lives, it’s time to start thinking of it in the same way we do our physical infrastructure. Open source software is a connective tissue for much of the online world — it deserves the same focus and funding we give to our roads and bridges. Today’s meeting at the White House was both a recognition of the challenge and an important first step towards addressing it. We applaud the efforts of the National Security Council, the Office of the National Cyber Director, and DHS CISA in leading a concerted response to cybersecurity challenges and we look forward to continuing to do our part to support that work.