"Google Trumpets US Federal Open Source Security Initiative"

The Securing Open Source Software Act introduced in the Senate last month is a bipartisan bill that would create a security and risk-mitigation blueprint for the federal government's use of open source software.  Google is urging the private sector to support the initiative.  Google noted that it was glad to see a continued emphasis on the importance of open source software security from the U.S. government and hopes that both public and private organizations will follow their lead to promote improved cybersecurity for the ecosystem at large.  Open source software code is fundamentally the engine that drives the modern digital enterprise.  However, malicious cyber activity against the software supply chain has infamously spiraled in the past few quarters, from SolarWinds to Log4Shell to a cornucopia of malicious and poisoned projects and packages popping up in trusted code repositories like npm.  Royal Hansen, engineering vice president for Google's trust and safety team, stated that "seemingly simple questions about the open source supply chain are still difficult to answer," including: Does a project contain known vulnerabilities?  Are the project's maintainers and community following security best practices during software development?  What open source dependencies are part of a particular piece of software?  And how secure was the distribution supply chain?  According to Google, the new federal legislation, if it passes, will encourage more public-private partnerships and bring the public sector to the table in even more meaningful ways.  Hanson noted that securing open source software is a shared responsibility and that Google looks forward to continued collaboration on this urgent, critical problem.  

Dark Reading reports: "Google Trumpets US Federal Open Source Security Initiative"