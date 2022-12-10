



Software supply chain security is one of the most significant national security risks facing governments around the world, said Royal Hansen, vice president of engineering for privacy, safety and security at Google. said in a Thursday blog post.

A study by Mandiant, which Google acquired in September for $5.4 billion to advance its security outlook, found the software supply chain to be the second most common initial infection vector.

The software supply chain ecosystem is fragile with open source components relying on multiple internal and external dependencies that make up 90% of most software applications today, Google said in a research report published Thursday. says.

Much of the work underway to improve the security of open source software is voluntary. This puts a heavy burden on organizations who must assess the quality of the dependencies they consume and ensure they have mechanisms in place to receive the latest vulnerabilities and respond quickly, they report. the book says.

According to Google, SolarWinds and Log4j, two of the most important software supply chain events of recent times, highlight the urgent need to address these challenges across the ecosystem.

The company has stepped up its efforts to extend the capabilities of the Supply Chain Level (SLSA) of Software Artifacts, developing a framework that helps organizations meet the National Institute of Standards and Technology’s secure software development guidelines.

Google open-sourced SLSA to gather more feedback and contributions from the open-source community, but warns that there is a real risk that these efforts will fall apart globally.

The report urges governments around the world to work together as much as possible on these issues to avoid fragmentation and adoption of measures that stifle innovation.

Google has highlighted three main pillars for governments and organizations to address software supply chain risks.

Adopt security best practices and standards Build a more resilient software ecosystem Continue to invest in security

The company also noted that there are multiple efforts underway to set these goals across government, industry, academia, and the open source community. A checklist of policy recommendations aimed at improving the resilience of the software his supply his chain was also provided.

Our approach to supply chain security is rooted in core principles.

