Google has announced to invest $10 billion over the next five years to strengthen open source security, cyber security, including expanding zero-trust programs and helping secure the software supply chain.
The announcement follows the company’s participation in President Biden’s White House Cyber Security Meeting earlier this Wednesday.
Following the Solarwinds attack, the software world gained a deeper understanding of the real risks and ramifications of supply chain attacks. Today, the vast majority of modern software development makes use of open source software, including software incorporated in many aspects of critical infrastructure and national security systems.
Despite this, there is no formal requirement or standard for maintaining the security of that software. Most of the work that is done to enhance the security of open source software, including fixing known vulnerabilities, is done on an ad hoc basis.
Google has earlier developed SLSA framework for securing the software supply chain. It had also planned to invest in the expansion of the application of the framework to protect the key components of open-source software widely used by many organisations. “We also pledged to provide $100 million to support third-party foundations, like OpenSSF, that manage open source security priorities and help fix vulnerabilities,” writes Kent Walker, SVP of Global Affairs, Google in a blog post.