Google on Thursday joined other industry forces in supporting legislation to secure open source software.
The Free Software Securing Act was introduced in September by Senate Homeland Security Committee Leader Gary Peters (D-Mich.) and Ranking Member Rob Portman (R-Ohio) and was quickly approved in a voice vote.
If enacted, the bipartisan legislation would require the Cybersecurity and Infrastructure Security Agency (CISA) to develop a risk framework over the next year that details how the federal government relies on open source code.
The legislation includes a list of other measures centered on open source security, including a mandate for the Office of Management and Budget to issue guidance on the subject as well as orders for CISA to hire more security experts. open-source security.
Google said the bill would help “guide the federal government in its use of open source software” and “reflects a useful focus on security and cyber risk mitigation to respond to a recent spike in malicious cyber activity against the chain software supply”.
“We are pleased to see that the US government continues to emphasize the importance of open source software security, and we hope that public and private organizations will follow their example to promote improved cybersecurity for the ecosystem in as a whole,” the company said on Thursday.
The Open Source Security Foundation — which includes GitHub, Microsoft, Google, Canonical, Cisco, Facebook, Intel, HP, Tencent, IBM, Red Hat, Samsung, and much more as members – also came in support legislation last month.
Impacts of Log4j
The bill was originally introduced in response to the controversy surrounding Log4j – a widespread vulnerability buried in thousands of popular tools.
Google was heavily involved in the investigation of this vulnerability, along with Heather Adkins, Google’s vice president of security engineering. co-chairs government review of incident with the leaders of the Department of Homeland Security.
The board said in August that organizations “will face continued exposure from Log4j for years, possibly a decade or more.” Attacks exploiting the bug continues to be discovered more than 10 months after the discovery of the problem.
Several other open source vulnerabilities have come to light since Log4j, prompting both the US government and Google to step up efforts to address the trend.
Senator Peters told The Record that the Log4J vulnerability “demonstrated how much we rely on open source code.”
“That’s why I’m leading this bipartisan bill – to help prevent cybercriminals from taking advantage of potential vulnerabilities found in open source software widely used to disrupt lives and livelihoods,” he said.
“I am proud to have broad bipartisan support for this legislation and will continue to work to have it enacted as soon as possible.”
Google said the bill answers several common questions that security experts now need to ask when investigating vulnerabilities in open source software. This would require government agencies to know if a project contains known vulnerabilities or if a project’s maintainers followed security best practices during its development.
Questions about open source software dependencies and supply chain security are now relevant to government agencies purchasing tools.
“We hope the framework that emerges through the efforts of the US government will drive further investment in open source communities by both the public and private sectors,” Google said.
Google has also invested heavily in open source security, committing $100 million to nonprofits and software foundations like the Open Source Security Foundation to support open source creators.
The law now awaits a vote in the full US Senate, but could end up tied to other legislation like the annual defense policy bill.