Start your day with intelligence. Get The OODA Daily Pulse.

The Software Supply Chain Security Mobilization Plan and Google’s Assured Open-Source Software Initiative

Here at OODA Loop, during the recent spate of unprecedented Joint Cybersecurity Advisories (CSA), we praised CISA and the results of the Joint Cyber Defense Collaborative (JCDC) – which was launched only late last year.   Overall, as OODA CTO Bob Gourley recently pointed out:  “We are so pleased with the quality of work and the professionalism in recent reporting from our government agencies on the nature of the cyber threat.”

The May 2022 OODA Network Member Meeting ended with a discussion of recent developments at the White House  – in partnership with major tech companies  – regarding open source software and code security, including the tech giants’ pledge to $30M to boost open-source software security.

Not much unlike the CISA/JCDC cybersecurity efforts, it seems this commitment and collaboration are also netting results at an unheard-of pace.  Specifically, Google already has plans for a Q322 release of open-source software libraries previously fully vetted by their security operation.

Google’s Assured Open Source Software

In May, “Google announced a new initiative…aimed at securing the open-source software supply chain by curating and distributing a security-vetted collection of open-source packages to Google Cloud customers.” (1)  Andy Chang, group product manager for security and privacy at Google Cloud, in the announcement of the initiative, wrote:  “There has been an increasing awareness in the developer community, enterprises, and governments of software supply chain risks.  Google continues to be one of the largest maintainers, contributors, and users of open source and is deeply involved in helping make the open-source software ecosystem more secure.”

Chang also noted in the announcement that much of this activity started in response to the Log4j vulnerability experience in late 2021.

The Assured Open Source Software Initiative will:

  • Extend the benefits of Google’s own extensive software auditing experience to Cloud customers.
  • Make available all open-source packages through the service are also used internally by Google, the company said, and are regularly scanned and analyzed for vulnerabilities.
  • Make available a list of the 550 major open-source libraries being continuously reviewed by Google on GitHub.
  • Make available libraries that can be downloaded independently of Google; also, the Assured OSS program will see audited versions distributed through Google Cloud — mitigating against incidents where developers intentionally or unintentionally corrupt widely used open-source libraries.; and

The service will be in early access mode and is expected to be made available for wider customer testing in Q3 2022. (1)

What Next?

The Verve puts the Google initiative in a larger context and noted further open-source security resources dedicated to the effort by Google:

The announcement from Google comes as part of an industry-wide drive to improve the security of the open-source software supply chain and one that has also been supported by the Biden administration.

In January, a group of some of the nation’s largest tech companies met with representatives of federal agencies including the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency to discuss open-source software security in the wake of the log4j bug. Since then, a recent meeting of the companies involved resulted in a pledge of more than $30 million in funding to boost open-source software security.

Besides contributing funding, Google is also putting engineering hours toward keeping the supply chain secure. The company recently announced the formation of an “Open Source Maintenance Crew” that would work with the maintainers of popular libraries to improve security. (1)

Tech Crunch contextualized the industry-wide “next steps” in the following manner:

  • Companies including Amazon, Ericsson, Google, Intel, Microsoft and VMware pledged a collective $30 million to fund a 10-point plan that aims to boost the security of open-source software.
  • Designed by the Linux Foundation and OpenSSF, the first-of-its-kind initiative aims to secure the production of open source code, improve vulnerability detection and remediation, and shorten patching response time. This will include the creation of a software bill of materials, known as an SBOM, allowing companies to gain visibility of the software that they are using in their tech stack.
  • The so-called Software Supply Chain Security Mobilization Plan also calls for security education for everyone working in the open-source community, the elimination of non-memory safe programming languages like C++ and COBOL, and for annual third-party code reviews of 200 of the most critical open-source software components.
  • The ultimate goal is to find and fix vulnerabilities like Log4Shell faster in an effort to better protect the U.S. from malicious cyberattacks that exploit insecure software platforms and devices.
  • “What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it,” said Brian Behlendorf, executive director of OpenSSF. “The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action.” (3)

In April, while not a part of the Software Supply Chain Security Mobilization Plan,  the private sector also stepped up to the cybersecurity plate with the Critical Infrastructure Defense Project: Free, Premium Cybersecurity Services Available to Hospitals and Utilities.  We will continue to provide research and analysis of initiatives, product releases, and major announcements which grow out of the Software Supply Chain Security Mobilization Plan collaboration.

Stay Informed

It should go without saying that tracking threats are critical to informing your actions. This includes reading our OODA Daily Pulse, which will give you insights into the nature of the threat and risks to business operations.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community

Tagged: open source
Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.