Software supply chain security is among “the most critical national security risks facing governments worldwide,” said Royal Hansen, Google’s VP of engineering for privacy, safety and security, in a Thursday blog post.
Research from Mandiant, which Google acquired in September for $5.4 billion to propel its security prospects, identified the software supply chain as the second most-prevalent initial infection vector.
With open-source components — which rely on multiple internal and external dependencies — comprising 90% of most software applications today, the software supply chain ecosystem is vulnerable, Google said in a research report published on Thursday.
Most of the work underway to improve open source software security is voluntary. This places a high burden on organizations that must assess the quality of dependencies they consume and ensure mechanisms are in place to receive and quickly act upon the latest vulnerabilities, the report said.
SolarWinds and Log4j, two of the most significant software supply chain events of late, emphasize the urgent need to address these challenges across the entire ecosystem, according to Google.
The company is ramping up efforts to expand capabilities in Supply chain Levels for Software Artifacts (SLSA) to develop a framework to help organizations meet the National Institute of Standards and Technology’s secure software development guidelines.
Google open sourced SLSA to gather more feedback and contributions from the open source community, but it warns there’s a real risk those efforts will become disjointed globally.
“We urge global governments to pursue alignment on these issues to the greatest extent possible to avoid fragmentation and adoption of measures that would stifle innovation,” the report said.
Google highlighted three core pillars for government and organizations to address software supply chain risk:
- Adopt security best practices and standards
- Build a more resilient software ecosystem
- Continue making investments in security
The company also pointed to multiple efforts underway to institute those objectives across government, industry, academia and the open source community. It also offered a checklist of policy recommendations aimed at improving the resilience of the software supply chain.
“Our approach to supply chain security is rooted in a basic principle: we defend better together,” Hansen said.