Why Google supports the US Securing Open Source Software Act

Open source software — code that is made freely available to the public to use or modify — is the foundation of the modern internet. It’s given us a world that is more innovative and more accessible. Yet the very openness that makes the digital world accessible to everyone, also leaves it uniquely vulnerable to security threats and cyber attacks.

At Google, we’ve been working to solve this paradox for years — and have arrived at the conclusion that modern digital security actually can come through embracing openness. We protect more people online than anyone, and we recently announced a $10 billion investment in making the internet safer and more secure. But with the dramatic rise of state-sponsored cyber attacks and malicious actors online, it’s clear that we not only need stronger public-private partnerships — but dynamic policy frameworks to shore up security for everyone.

That’s why we welcome efforts by the U.S. Government to advance open source software security, such as the Securing Open Source Software Act introduced in the Senate last month. This bipartisan bill proposes the creation of a framework to guide the federal government in their use of open source software. The proposed legislation reflects a helpful focus on security and cyber risk mitigation to respond to a recent spike in malicious cyber activity against the software supply chain.

We are glad to see a continued emphasis on the importance of open source software security from the U.S. Government, and we hope that both public and private organizations will follow their lead to promote improved cybersecurity for the ecosystem at large.

The problem of securing open source

The world of open source software development allows collaboration and rapid innovation by sharing solutions freely. This community, built on openness and sharing, contributes an enormous amount of code to a majority of the applications we use today.

However, despite the benefits of this openness, the unprecedented scale of recent attacks has emphasized gaps in infrastructure and tooling and the need for improved transparency into the security practices and attributes of open source projects. Seemingly simple questions about the open source supply chain are still difficult to answer:

• Does a project contain known vulnerabilities?
• Are the project’s maintainers and community following security best practices during software development?
• What open source dependencies are part of a particular piece of software?
• How secure was the distribution supply chain?

Answering these questions requires specialized technical skills and capabilities, and given the primarily volunteer-driven nature of the open source community, we cannot expect open source developers to shoulder the full burden of advancing software security on their own.

Continued advances

Through our work with multiple industry collaborators, Google has helped create free tools, services and best practices to make it easier for the open source community to develop and distribute software securely, while providing consumers with information about the security of the software they use.

We envision a more secure future where the burden of security is shared, and there is increased trust in and resilience of the open source software ecosystem. To get there, we need freely available, automated solutions that make developer’s lives easier, such as:

• Infrastructure that prevents tampering, by default, when software is being built and released
• Advances in vulnerability discovery and management that automate finding, tracking and fixing bugs for developers
• Seamless connections across sources of security data and tools for analysis so consumers can have meaningful insight into the security of their software

We’re currently working to make these solutions a reality, at scale, with little to no additional work for developers.

Sustaining the community

We hope that the framework that will emerge due to U.S. Government efforts drives further investments in open source communities by both the public and private sectors. We’re already seeing the impact of the $100M Google pledged to non-profit organizations and software foundations like the Open Source Security Foundation to support open source creators.

This pledge backs efforts like our “open source maintenance crew,” a team of developers who spend 100 percent of their time directly enabling critical open source projects to adopt key security improvements. It also supports our Linux Kernel team, which continues to drive efforts to eliminate entire classes of bugs from open source code, including paving the way for greater memory safety using the Rust language.

We encourage other major consumers of open source to follow this lead and directly invest both funds and developer time in securing open source projects and ecosystems. Furthermore, we call on other major consumers of open source, both public and private, to implement similar policies around safe open source usage as well.

Securing open source software is a shared responsibility, and we look forward to continued collaboration on this urgent, critical problem.