Google has committed $10 billion over the next five years to “advance cybersecurity” by fixing some of the key problems with open-source and offering more training.
The announcement follows Google’s participation in President Biden’s White House Cyber Security Meeting this week. Leading tech executives including Alphabet CEO Sundar Pichai put their heads together following an increasing prevalence and seriousness of cyberattacks.
Open-source is vital and speeds up development to match the modern pace of expected production. According to Synopsys’ 2021 Open Source Security and Risk Analysis (OSSRA) report, 98 percent of the audited codebases contained at least one open-source component and 75 percent of all codebases were composed of open-source. However, 84 percent of codebases had at least one vulnerability with an average of 158 per codebase. The average vulnerability found was 2.2 years old.
Some of the vulnerabilities are accidental, while others purposefully take advantage of the software supply chain – as seen with that whole SolarWinds incident – to introduce vulnerabilities. There are clear problems with open-source that need addressing.
In a blog post, Google explains:
“Following the Solarwinds attack, the software world gained a deeper understanding of the real risks and ramifications of supply chain attacks. Today, the vast majority of modern software development makes use of open source software, including software incorporated in many aspects of critical infrastructure and national security systems.
Despite this, there is no formal requirement or standard for maintaining the security of that software. Most of the work that is done to enhance the security of open source software, including fixing known vulnerabilities, is done on an ad hoc basis.”
Organisations that do the noble work of helping to fix vulnerabilities in open-source are being provided $100 million from Google’s coffers. That includes the Open Source Security Foundation (OpenSSF), which Google previously worked alongside to create best practices on how to secure supply chains.
Google says that it’s one of the pioneers in zero-trust computing whereby no person, device, or network is given inherent trust. As with anywhere else in life, trust must be earned. Google is encouraging organisations and the federal government to adopt zero-trust computing and modernise their legacy infrastructures.
Finally, Google will also be helping to boost the number of cybersecurity professionals by helping “100,000 Americans earn Google Career Certificates in fields like IT Support and Data Analytics to learn in-demand skills including data privacy and security.”
Want to learn more about cybersecurity from leaders in the space? Check out Cyber Security & Cloud Expo Global, which runs from 6-7 September 2021.