Skip to main content
close search
site logo
Dive Brief

Google backs federal review board's Log4j, open source security push

The technology firm said it will continue investments and engage in more secure software practices to help prevent a future crisis similar to Log4j.

Published July 25, 2022
David Jones's headshot
Reporter
Justin Sullivan via Getty Images
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • Google is backing efforts to improve the security of open source software, building on the Cyber Safety Review Board’s analysis of the Log4j vulnerability crisis, according to a blog post from Royal Hansen, VP of engineering for privacy, safety and security at Google, and Phil Venables, VP and CISO of Google Cloud.
  • Google will continue to make security a cornerstone of its product strategy and will commit to share its internal frameworks and best practices with industry stakeholders, the company said. Google made heavy contributions to the Open Source Security Foundation’s guide on coordinated vulnerability disclosure, according to the blog.
  • Google said it will continue efforts to build a better software ecosystem and drive open source innovation. The company announced Google Cloud’s Assured Open Source Software Service in May and entered preview mode during the third quarter.

Dive Insight: 

The CSRB report highlighted the ongoing risk posed by the Log4j crisis, which the post-mortem report referred to as an "endemic vulnerability" that could last for decades.

The Log4j disclosures did not lead to the predicted level of high leverage attacks that were initially feared, the review board found. However there were a number of criminal and nation-state attacks that exposed severe inequities in the software supply chain. 

When Log4j was initially disclosed about 35,000 Java packages were affected, Google said. As of last week only 40% of the affected packages have remediated the problem.

Google is one of several technology industry leaders that pledged millions of dollars of funding in May to invest in the security of open source software. Google Cloud has also positioned itself as a leading provider of enterprise security, following deals to buy incident response firm Mandiant and the prior agreement to buy Siemplify.

“We as an industry should support efforts like this to clean up and maintain Open Source code,” Mark Horvath, Gartner senior director analyst said via email. “As pointed out, the software industry’s security technical debt in OSS is large, and anything that both keeps it from getting worse or actually lowers that debt is an effort we should all get behind.”

Gartner research shows 70% of enterprises will increase IT spending on open source software through 2026.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell