- Google is backing efforts to improve the security of open source software, building on the Cyber Safety Review Board’s analysis of the Log4j vulnerability crisis, according to a blog post from Royal Hansen, VP of engineering for privacy, safety and security at Google, and Phil Venables, VP and CISO of Google Cloud.
- Google will continue to make security a cornerstone of its product strategy and will commit to share its internal frameworks and best practices with industry stakeholders, the company said. Google made heavy contributions to the Open Source Security Foundation’s guide on coordinated vulnerability disclosure, according to the blog.
- Google said it will continue efforts to build a better software ecosystem and drive open source innovation. The company announced Google Cloud’s Assured Open Source Software Service in May and entered preview mode during the third quarter.
The CSRB report highlighted the ongoing risk posed by the Log4j crisis, which the post-mortem report referred to as an "endemic vulnerability" that could last for decades.
The Log4j disclosures did not lead to the predicted level of high leverage attacks that were initially feared, the review board found. However there were a number of criminal and nation-state attacks that exposed severe inequities in the software supply chain.
When Log4j was initially disclosed about 35,000 Java packages were affected, Google said. As of last week only 40% of the affected packages have remediated the problem.
Google is one of several technology industry leaders that pledged millions of dollars of funding in May to invest in the security of open source software. Google Cloud has also positioned itself as a leading provider of enterprise security, following deals to buy incident response firm Mandiant and the prior agreement to buy Siemplify.
“We as an industry should support efforts like this to clean up and maintain Open Source code,” Mark Horvath, Gartner senior director analyst said via email. “As pointed out, the software industry’s security technical debt in OSS is large, and anything that both keeps it from getting worse or actually lowers that debt is an effort we should all get behind.”
Gartner research shows 70% of enterprises will increase IT spending on open source software through 2026.