In response to recent recommendations from the US government to take action against risks connected to the Log4j vulnerability, Google said it supports the advisories and detailed its own defence strategy. In a recent assessment on the Log4j vulnerability, the U.S. Department of Homeland Security (DHS) asked the entire sector to band together and strengthen cybersecurity precautions, warning that it might remain undetected on unpatched endpoints for up to 10 years.
“We welcome the U.S. Government’s work to improve the nation’s cybersecurity, including through establishment of the CSRB to review incidents like log4j,” Google said in a blog post.
The report, among other things, provided three recommendations for the industry’s future actions: promoting the adoption of best practises; improving the software ecosystem; and making long-term investments in digital security. Google stated that it will continue to make security a “cornerstone of our product strategy” and that it will share its internal frameworks and best practises with others in order to advance current security hygiene best practises.
In an effort to spur industry-wide discussion and advancement on the security and sustainability of the open-source ecosystem, the company stated “We partner closely with industry stakeholders to identify and address vulnerabilities in the ecosystem, and share best practises on how to address the latest security threats”.
When it comes to creating a better software environment, Google sees itself as a market leader, claiming that it promotes, instigates, and funds initiatives and programmes that allow everyone to participate in and contribute to the global open source ecosystem.
And lastly, Google has significant investment intentions for the future. It promised a $10 billion investment in cybersecurity last year that will span five years and include a $100 million investment in outside organisations like OpenSSF.
“We welcome the chance to participate in future review board processes, and look forward to working alongside others to continue to protect the nation’s software supply chain ecosystem,” the announcement concludes. “It’s clear that public and private sector stakeholders learned a great deal from log4j and the report provides an in-depth review of shared challenges and potential solutions. Now, we must act on those learnings to improve the security of the entire ecosystem.”