Google backs Senate bill on securing open source software

Google joined other industry forces on Thursday in support of legislation to secure open source software.

The Securing Open Source Software Act was introduced in September by Senate Homeland Security Committee leader Gary Peters (D-Mich.) and ranking member Rob Portman (R-Ohio) and was quickly approved in a voice vote. 

If signed into law, the bipartisan legislation would require the Cybersecurity and Infrastructure Security Agency (CISA) to develop a risk framework within the next year that details how the federal government relies on open-source code.

The legislation includes a slate of other measures centered on open source security, including a mandate that the Office of Management and Budget issue guidance on the topic as well as orders for CISA to hire more open source security experts. 

Google said the bill would help “guide the federal government in their use of open source software” and “reflects a helpful focus on security and cyber risk mitigation to respond to a recent spike in malicious cyber activity against the software supply chain.”

“We are glad to see a continued emphasis on the importance of open source software security from the U.S. Government, and we hope that both public and private organizations will follow their lead to promote improved cybersecurity for the ecosystem at large,” the company said on Thursday. 

The Open Source Security Foundation — which counts GitHub, Microsoft, Google, Canonical, Cisco, Facebook, Intel, HP, Tencent, IBM, Red Hat, Samsung and many more as members — also came out in support of the legislation last month. 

Log4j impacts

The bill was initially introduced in response to the controversy around Log4j — a widespread vulnerability buried within thousands of popular tools. 

Google was heavily involved in the investigation of that vulnerability, with Google Vice President of Security Engineering Heather Adkins co-chairing the government’s review of the incident with Department of Homeland Security leaders.

The board said in August that organizations “are going to be dealing with continued Log4j exposure for years to come, maybe a decade or longer.” Attacks exploiting the bug continue to be unearthed more than 10 months after the issue was discovered.

Several other open source vulnerabilities have come to light since Log4j, prompting both the U.S. government and Google to step up efforts to address the trend. 

Senator Peters told The Record that the vulnerability in Log4J “demonstrated just how much we rely on open source code.” 

“That is why I am leading this bipartisan bill – to help prevent cybercriminals from taking advantage of potential vulnerabilities found in widely used open source software to disrupt lives and livelihoods,” he said. 

“I’m proud to have broad, bipartisan support for this legislation and will continue working to ensure it is signed into law as soon as possible.”

Google said the bill addresses several common questions security experts now have to ask when investigating open source software vulnerabilities. It would force government agencies to know whether a project contains known vulnerabilities or if a project’s maintainers have followed security best practices during its development. 

Questions about what open source dependencies a piece of software has and how secure a supply chain is are now pertinent for government agencies purchasing tools. 

“We hope that the framework that will emerge due to U.S. Government efforts drives further investments in open source communities by both the public and private sectors,” Google said. 

Google has also invested heavily in open source security, pledging $100 million to non-profit organizations and software foundations like the Open Source Security Foundation to support open source creators. 

The tech giant has also announced several initiatives designed to address open source security, including a new software bill of materials effort last week. 

The act now awaits a vote in the full U.S. Senate but may end up attached to other legislation like the annual defense policy bill.