Cloud CISO Perspectives: Late September 2023

Welcome to the second Cloud CISO Perspectives for September 2023. This month, I’m turning the mic over to my colleague Eric Brewer, Google Cloud’s vice president of infrastructure and Google Fellow, to explain the importance of this year’s Securing Open Source Software Summit and why securing open source code is one of the most crucial tasks we face.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

By Eric Brewer, Google Fellow, vice president, infrastructure, Google Cloud

Earlier this month Phil and I had the great pleasure of participating in the 2023 Securing Open Source Software Summit, hosted by the Open Source Security Foundation (OpenSSF) in Washington, D.C. We joined dozens of leading experts and practitioners representing the tech industry, leading open source foundations, and several U.S. government agencies to recap the progress made in addressing open source risks over the previous 18 months, and to identify priorities for future collaboration.

The first Open Source Software Security Summit was convened by the White House in the immediate aftermath of the Log4Shell vulnerability. Log4Shell was a vulnerability of epic proportions because it was easy to exploit — a perfect 10.0 on the severity scale. It sent tens of thousands of security practitioners scrambling to find and patch vulnerable systems in what was arguably one of the largest collective incident response efforts in Internet history.

While the mood at this year’s summit was somewhat lighter than at the prior gathering, it was nonetheless an opportunity for reflection. The key lesson to come from Log4Shell is that open source security is a lot like environmental conservation. That’s because open source software is a “public good” which is an economic term that means everyone can benefit and we don’t need to compete for the resource. By enabling software developers to freely reuse and build on each others’ contributions, open source ecosystems have proven a key driver of digital innovation in tech, in public services, and in sectors like financial services and healthcare. Similarly, one developer’s use of open source code doesn’t meaningfully reduce open source availability to others.

But just as human activity can strain the environment and natural ecosystems, consumption of open source projects without corresponding investments in maintenance can prove unsustainable — and leave key projects more vulnerable. We’re all stewards of healthy open source ecosystems through the time we spend reviewing others’ code, and when necessary, cleaning it up. Large organizations, such as government agencies and tech companies like Google have an outsized — though by no means exclusive — role to play in that effort.

I have been making the “public good” argument for a few years now, but the big change is now the U.S. government is also using this framing — you can read in the new U.S. open-source security roadmap covered below. It’s great to see that the U.S. has an open-source security strategy, let alone one that lines up well with the “public good” view.

How Google is championing open source security

Even before Log4Shell, Google was making significant investments to help secure key open source ecosystems in response to a troubling rise in software supply chain attacks. Although Google had done great work on the basics (such as support for Linux and OpenSSL) for more than a decade, I started worrying about supply chain attacks in 2018. In my role as tech leader for Kubernetes in particular, I realized how many risky dependencies we were collectively using.

"One of the biggest takeaways from this year’s summit was the rapid evolution of U.S. government policy around open source security in terms of strategy, resources, and expertise to carry out that policy."

This led me to create the OpenSSF in 2019, working with Microsoft and others to get an industry-wide approach to these very difficult problems. Unfortunately, we got off to a rocky start due to the arrival of a very distracting pandemic. The SolarWinds attack in early 2020 was exactly the kind of attack I was worried about, and its arrival gave the OpenSSF an obvious burst of energy and interest (and funding!).

In August 2020, Google helped to relaunch OpenSSF and committed $100 million in funding to help open source maintainers address vulnerabilities. In its first year, we partnered with OpenSSF to launch tools including Scorecard, which helps developers identify trustworthy libraries, and SLSA, a framework for hardening build and release processes.

Following the first summit in 2022, Google announced the creation of an “Open Source Maintenance Crew,” a team of dedicated engineers who work closely with the maintainers of vital open source projects. As of May 2023, members of that team had contributed security improvements to more than 180 widely-used projects. We also partnered with OpenSSF and other tech companies to launch Alpha-Omega, a program aimed at speeding resources and expertise to several high-impact projects and automated tooling for thousands more.

At Google Cloud we’re also taking steps to help our customers use open source securely through our Assured OSS solution. With Assured OSS, Google Cloud is curating more than 1,000 of the most popular Java and Python packages, offering organizations of all sizes access to the same trusted libraries Google’s own engineers rely on. Each library is subject to ongoing fuzz testing and scanning, is signed by a unique Google public-private key, and includes available software bills of materials (SBOMs).

Public-private partnerships to secure open source ecosystems

One of the biggest takeaways from this year’s summit was the rapid evolution of U.S. government policy around open source security in terms of strategy, resources, and expertise to carry out that policy. The summit drew participation by Deputy National Security Advisor Anne Neuberger (who convened the first White House summit and has been an avid proponent of all this good work,) Acting National Cyber Director Kemba Walden, and CISA Executive Assistant Director Eric Goldstein, as well as many others from across government.

"I’m personally pleased to see that the federal government is signaling its commitment to making meaningful contributions to open source security, and to partnering with foundations like OpenSSF and companies like Google to expand the conversation to other sectors and organizations that might otherwise lack the resources to manage open source effectively."

In the 18 months since Log4Shell, government agencies have taken a number of steps to be more engaged in open source security:

• In March, U.S. National Cybersecurity Strategy committed U.S. federal agencies to invest in developing secure open source tools and frameworks and hinted at liability protections for small, independent open source developers;
• Earlier this year the Office of the National Cyber Director (ONCD) launched the Open Source Software Security Initiative (OS3I) in partnership with the White House, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and several other agencies, to focus on memory safety issues; and
• On the first day of the summit itself, Goldstein announced the launch of CISA’s Open Source Security Roadmap outlining the agency’s plans to launch a federal open source program office (OSPO), continue mapping open source risks, drive adoption of SBOMs, and expand access to security education and best practices.

This is by no means an exhaustive list. I’m personally pleased to see that the federal government is signaling its commitment to making meaningful contributions to open source security, and to partnering with foundations like OpenSSF and companies like Google to expand the conversation to other sectors and organizations that might otherwise lack the resources to manage open source effectively.

Some of the most promising areas for public-private collaboration include:

• Championing adoption of memory-safe languages: OS3I has already signaled that its top priority will be to develop strategies for transitioning away from memory-unsafe programming languages, such as C and C++. Large technology companies around the world, including Google, are similarly in the midst of a multi-year journey toward adoption of languages like Rust. OS3I could prove an essential forum for exchanging information and lessons learned.
• Mapping sector-specific open source dependencies: Just as projects like OpenSSF’s Alpha-Omega are geared toward speeding resources to remediate vulnerabilities in a small number of high-risk dependencies, a next step could be to apply this strategy on a sector-by-sector basis. There are significant opportunities for companies like Google to collaborate with sector risk management agencies (SRMAs) and their corresponding ISACs to help critical infrastructure operators “shift left” by prioritizing supply chain security in addition to threat sharing and incident response planning.
• Security education and training: Lack of access to high-quality, low-cost security education for software engineers remains a key barrier to building safer open source ecosystems. Although organizations like ISC2 have succeeded in training tens of thousands of professionals in recent years, there’s much more to be done. In the last year, Google launched a number of new resources in an effort to help address that gap through the new Google Cybersecurity Certificate program through hands-on training provided through Google-sponsored Cyber Clinics.

We look forward to sharing our views on ways to use public-private partnerships to strengthen open source ecosystems in our response to ONCD’s Open Source Software Security RFI.

Here are the latest updates, products, services, and resources from our security teams so far this month:

• How leaders can reduce risk by shutting down security theater: Security theater in the cloud is a problem, but not an insurmountable one. To reduce the risk your organization faces, embrace more practical security — and leave the theatrics behind. Read more.
• Introducing the unified Chronicle Security Operations platform: Chronicle’s latest update unifies our SOAR and SIEM solutions, integrates Mandiant’s attack surface management technology, and offers more robust application of threat intelligence. Read more.
• Confidential VMs on Intel CPUs: Your new intelligent defense: Through our partnership with Intel, Google Cloud is extending Confidential VMs on new C3 machines to use 4th Gen Intel Xeon Scalable CPUs and Intel TDX technology. Read more.
• New custom security posture controls and threat detections in Security Command Center: Security Command Center now allows organizations to design their own customized security controls and threat detectors for their Google Cloud environment. Read more.

Policy Controller violations now in Security Command Center: Policy Controller enforces programmable policies for Google Kubernetes Engine to help customers with security, governance, and compliance guardrails for their workloads. Read more.

• How to scale reducing your attack surface: We’re unveiling new capabilities to Mandiant Attack Surface Management (ASM) that enable an outcome-focused and risk-based approach to security. Read more.
• Backchannel diplomacy: APT29’s rapidly-evolving diplomatic phishing operations: In the first half of 2023, Mandiant and Google’s Threat Analysis Group (TAG) have tracked an increase in the frequency and scope of APT29 phishing operations, often centered on foreign embassies in Ukraine. Read more.
• Bolster government infrastructure with state and local cybersecurity grants: A new round of U.S. government funding is available to help protect information systems owned or operated by, or on behalf of, State, Local, Tribal, and Territorial (SLTT) governments. Read more.

• System hardening at Google scale: New challenges, new solutions: Hardening systems has changed a lot over the past 20 years. From operationalizing hardening processes to responding to new regulations, hosts Anton Chuvakin and Tim Peacock get into the details with Andrew Hoying, senior security engineering manager at Google. Listen here.
• What is Chronicle? Beyond XDR and into the next generation of SecOps: Chronicle’s got a good story to tell, and Chris Corde, Google Cloud’s senior director of product management for security operations, discusses “why Chronicle” with Anton and Tim. Listen here.
• Threat Trends: Unraveling WyrmSpy and DragonEgg with Lookout: Host Luke McNamara is joined by Kristina Balaam, staff threat researcher at Lookout, to discuss her work attributing two new mobile malware families to APT41. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.