Today we joined the Open Source Security Foundation (OpenSSF), Linux Foundation and industry leaders for a meeting to continue progressing the open source software security initiatives discussed during January’s White House Summit on Open Source Security. During this meeting, Google announced the creation of its new “Open Source Maintenance Crew” — a dedicated staff of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects. In addition to this initiative, we contributed ideas and participated in discussions on improving the security and trustworthiness of open source software.

Amid all this momentum and progress, it is important to take stock on how far we’ve come as a community over the past year and a half. In this post we will provide an update on some major milestones and projects that have launched and look towards the future and the work that still needs to be done.

Know, Prevent, Fix

A little over a year ago we published Know, Prevent, Fix, which laid out a framework for how the software industry could address vulnerabilities in open source software. At the time, there was a growing interest in the topic and the hope was to generate momentum in the cause of advancing and improving software supply-chain security.

The landscape has changed greatly since then:

• Prominent attacks and vulnerabilities in critical open source libraries such as Log4j and Codecov made headline news, bringing a new level of awareness to the issue and unifying the industry to address the problem.
• The US government formalized the push for higher security standards in the May 2021 Executive Order on Cybersecurity. The release of the Secure Software Development Framework, a set of guidelines for national security standards on software development, sparked an industry-wide discussion about how to implement them.
• Last August, technology leaders including Google, Apple, IBM, Microsoft, and Amazon invested in improving cybersecurity — and Google alone pledged $10 billion over the next five years to strengthen cybersecurity, including $100 million to support third-party foundations, like OpenSSF, that manage open source security priorities and help fix vulnerabilities.

In light of these changes, the Know, Prevent, Fix framework proved prescient: beyond just the increased discussion about open source security, we’re witnessing real progress in the industry to act on those discussions. In particular, the OpenSSF has become a community town hall for driving security engineering efforts, discussions, and industry-wide collaboration.

These successes have also surfaced new challenges, though, and we believe the next step is to increase accessibility. Security tools should be more easily adopted into common developer workflows, more integrated across the ecosystem, and simpler to connect into projects. Underlying all of this is a need to streamline the process of matching projects with available funds and resources to enable security improvements.

This follow-up blog post discusses Google’s efforts in collaboration with the open source community to make progress on security goals in the past year, the lessons learned and how the industry can build on this momentum.

Know

Our goals for “Know” were to capture more precise data about vulnerabilities, establish a standard schema to track vulnerabilities across databases, and create tooling for better tracking of dependencies.

Over the past year the community’s investment in Open Source Vulnerabilities (OSV) has resulted in a new vulnerability format. The format was developed and adopted by several open source ecosystems (Python, Rust, Go), as well as vulnerability databases such as GitHub’s Security Advisories (GHSA) and the Global Security Database. Google also worked closely with MITRE on the new CVE 5.0 JSON schema to simplify future interoperability. OSV.dev also supports a searchable vulnerability database that, thanks to the standardized format, aggregates vulnerabilities from all other databases into one easily searched location.

During the Log4j vulnerability response, the Google-supported Open Source Insights project helped the community understand the impact of the vulnerability. This project analyzes open source packages and provides detailed graphs of dependencies and their properties. With this information, developers can understand how their software is put together and the consequences to changes in their dependencies—which, as Log4j showed, can be severe when affected dependencies are many layers deep in the dependency graph. Today, we’re also making the data powering Open Source Insights available as a public Google Cloud Dataset.

The OSV project showed that connecting a CVE to the vulnerability patch development workflow can be difficult without precise vulnerability metadata. It will take cooperation across disparate development communities to reap the full benefits of the progress, but with collaboration OSV can scale quickly across language and project ecosystems.

We believe the next major goal is to lower the barrier of entry for users. Integrating with developer tools and processes will bring high quality information to where it is most useful. For instance, OSV findings can be everywhere from code editors (e.g., when deciding whether to include a library) to deployment (e.g., stopping vulnerable workloads from deploying).

Prevent

“Prevent” was conceived to help users understand the risks of new dependencies so they can make informed decisions about the packages and components they consume.

We’ve seen strong community involvement in the prevention of vulnerabilities, particularly in the Security Scorecards project. Scorecards evaluates a project’s adherence to security best practice and assigns scores that developers can consult before consuming a dependency. Users can choose to avoid projects that, for example, don’t use branch protection settings or employ dangerous workflows (which make projects vulnerable to malicious commits), and gravitate to projects that follow strong security practices like signing their releases and using fuzzing. Thanks to contributions from Cisco, Datto and several other open source contributors, there are now regular Scorecard scans of 1 million projects, and Scorecards has developed from a command line tool into an automated GitHub Actions that runs after any change to GitHub project. More organizations are adopting Scorecards, and the Scorecard GitHub Action has been installed on over 1000 projects, with continued growth. With increased adoption, overall security will improve across entire ecosystems.

Additionally, Sigstore is helping prevent attacks by creating new tools for signing, verifying and protecting software. Recently, Kubernetes announced that it is using sigstore to sign its releases, showing that artifact signing at a large scale is now within reach. As adoption expands, we can expect stronger links between published source code and the binaries that run it.

Community collaborators like Citi, Chainguard, DataDog, VMWare and others have actively contributed to the OpenSSF’s SLSA framework. This project is based on Google’s internal Binary Authorization for Borg (BAB), which for more than a decade has been mitigating the risk of source and production attacks at Google. SLSA lays out an actionable path for organizations to increase their overall software supply-chain security by providing step-by-step guidelines and practical goals for protecting source and build system integrity. The SLSA framework addresses a limitation of Software Bills of Materials (SBOMs), which on their own do not provide sufficient information about integrity and provenance. An SBOM created using SLSA provenance and metadata is more complete and addresses both source code and build threat vectors. Using SLSA may also help users implement Secure Software Development Framework (SSDF) requirements.

Continued improvements to the OSS-Fuzz service for open source developers have helped get over 2300 vulnerabilities fixed across 500+ projects in the past year. Google has also been heavily investing in expanding the scope of fuzzing through adding support for new languages such as Java and Swift and developing bug detectors to find issues like Log4shell.

Through the Linux Kernel Self-Protection Project, Google has been providing a steady stream of changes to overhaul internal kernel APIs so that the compiler can detect and stop buffer overflows in fragile areas that have seen repeated vulnerabilities. For everyone in the ecosystem staying current on Linux kernel versions, this removes a large class of flaws that could lead to security exploits.

Looking ahead, this area’s rapid growth highlights the community’s concern about integrity in software supply chains. Users are searching for solutions that they can trust across ecosystems, such as provenance metadata that connects deployed software to its original source code. Additionally, we expect increased scrutiny of development processes to ensure that software is built in the most secure way possible.

The next goals for open source software security should involve broad adoption of best practices and scalability. Increasing the use of these tools will multiply the positive effects as more projects become secured, but adoption needs to happen in a scalable way across ecosystems (e.g., via the OpenSSF Securing Package Repositories Working Group focused on improving security in centralized package managers). Education will be a driving force to speed the shift from project-by-project adoption to broadscale ecosystem conversion: greater awareness will bring greater momentum for change.

Fix

“Fix” was conceived to help users understand their options to remove vulnerabilities, enable notifications that help speed repairs, and fix widely used versions of affected software, not just the most recent versions.

Google supported open source innovation, security, collaboration, and sustainability through our programs and services by giving $15 million to open source last year. This includes $7.5 million to targeted security efforts in areas such as supply chain security, fuzzing, kernel security and critical infrastructure security. For example, $2.5 million of the security funding went to the Alpha-Omega project, which made its first grant to the Node.js foundation to strengthen its security team and support vulnerability remediation.

Other security investments include $1 million to SOS Rewards, and $300,000 to the Internet Security Research Group to improve memory safety by incorporating Rust into the Linux kernel. The remaining funding supports security audits, package signing, fuzzing, reproducible builds, infrastructure security and security research.

Beyond financial investments, Google employees contribute their hours, effort, and code to tens of thousands of open source repositories each year. One issue frequently cited by open source maintainers is limited time. Since under-maintained, critical open source components are a security risk, Google is starting a new Open Source Maintenance Crew, a dedicated staff of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects. We hope that other enterprises that rely on open source will invest in similar efforts to help accelerate security improvements in the open source ecosystem.

Up Next

The amount of progress in the past year is very encouraging: we as an industry have come together to discuss, fund, and make headway on many of the difficult problems that affect us all. The solutions are not just being talked about, but also built, refined, and applied. Now we need to magnify this progress by integrating these solutions with tooling and language ecosystems: every open source developer should have effortless access to end-to-end security by default.

Google is committed to continuing our work with the OpenSSF to achieve these goals. To learn more about the OpenSSF foundation and join its efforts, check it out here.

Every day, we work to create a safer internet by making our products secure by default, private by design, and putting you in control of your data. This is how we keep more people safe online than anyone else in the world.

Secure by default in the face of cyber threats

Today, more cyberattacks than ever are happening on a broader, global scale. The targets of these attacks are not just major companies or government agencies, but hospitals, energy providers, banks, schools and individuals. Every day, we keep people’s data safe and secure through industry-leading security technology, automatic, built-in protections, and ongoing vulnerability research and detection.

Our specialized teams work around the clock to combat current and emerging cyber threats. Google’s Threat Analysis Group (TAG), for example, has been tracking critical cyber activity to help inform Ukraine, neighboring countries in Europe, and others of active threat campaigns in relation to the war. We’ve also expanded our support for Project Shield to protect the websites of 200+ Ukrainian government entities, news outlets and more.

Cybersecurity concerns are not limited to war zones — more than 80% of Americans say they’re concerned about the safety and privacy of their online data. That’s why we built one of the world’s most advanced security infrastructures to ensure that our products are secure by default. Now, that infrastructure helps keep people safer at scale:

• Account Safety Status: We’re adding your safety status to your apps so you never have to worry about the security of your Google Account. These updates will feature a simple yellow alert icon on your profile picture that will flag actions you should take to secure your account.

• Phishing protections in Google Workspace: We’re now scaling the phishing and malware protections that guard Gmail to Google Docs, Sheets, and Slides.
• Automatic 2-Step Verification: We’re also continuing our journey towards a more secure, passwordless future with 2-Step Verification (2SV) auto enrollment to help people instantly boost the security of their Google Accounts and reduce their risk of getting phished. This builds on our work last year to auto enroll 150+ million accounts in 2SV and successfully reduce account takeovers.
• Virtual Cards: As people do more shopping online, keeping payment information safe and secure is critically important. We’re launching virtual cards on Chrome and Android. When you use autofill to enter your payment details at checkout, virtual cards will add an additional layer of security by replacing your actual card number with a distinct, virtual number. This eliminates the need to manually enter card details like the CVV at checkout, and they’re easy to manage atpay.google.com — where you can enable the feature for eligible cards, access your virtual card number, and see recent virtual card transactions. Virtual cards will be rolling out in the US for Visa, American Express, Mastercard and all Capital One cards starting this summer.

Helpful products that are private by design

We’re committed to designing products that are helpful and protect people’s privacy. Our engineers have pioneered and open-sourced numerous privacy preserving technologies, including Federated Learning and Differential Privacy, which we made more widely available earlier this year when we started offering our Differential Privacy library in Python as a free open-source tool — reaching almost half of developers worldwide.

Now, we’re expanding this work with the introduction of Protected Computing, a growing toolkit of technologies that transform how, when, and where data is processed to technically ensure the privacy and safety of your data. We do this by:

• Minimizing your data footprint: Leveraging techniques like edge processing and ephemerality, we shrink the amount of your personally identifiable data.
• De-identifying data: Through blurring and randomizing identifiable signals, to adding statistical noise, we use a range of anonymization techniques to strip your identity from your data.
• Restricting access: Through technologies like end-to-end encryption and secure enclaves, we make it technically impossible for anyone, including Google, to access your sensitive data.

Today, Protected Computing enables helpful features like Smart Reply in Messages by Google and Live Translation on Pixel. And while we’re continuing to innovate new applications across our products, we’re equally focused on using Protected Computing to unlock the potential of data to benefit society more broadly — for example, by enabling even more robust aggregated and anonymized datasets so we can safely do everything from help cities reduce their carbon footprint, to accelerate new medical breakthroughs.

You’re in control of your personal information

Privacy is personal, and safety is a bit different for each individual. That’s why our privacy and security protections are easy to access, monitor and control. Today, we’re introducing two new tools that give you even more control over your data:

• Results about you in Search: When you’re using the internet, it’s important to have control over how your personal information can be found. With our new tool to accompany updated removal policies, people can more easily request the removal of Google Search results containing their contact details — such as phone numbers, home addresses, and email addresses. This feature will be available in the coming months in the Google App, and you can also access it by clicking the three dots next to individual Google Search results.

• My Ad Center: We want to make it even easier for you to control the ads you see. Towards the end of this year, we’ll launch more controls for your ads privacy settings: a way of choosing which brands to see more or less of, and an easier way to choose whether to personalize your ads. My Ad Center gives you even more control over the ads you see on YouTube, Search, and your Discover feed, while still being able to block and report ads. You’ll be able to choose the types of ads you want to see — such as fitness, vacation rentals or skincare — and learn more about the information we use to show them to you.

To learn more about how every day you're safer with Google, visit our Safety Center.

People are constantly being told to strengthen their security habits, but with so much advice — some of it conflicting — it’s hard to understand where to start or what to believe. Perhaps that’s why people go the easy route. Based on a new study we commissioned with Ipsos, nearly 20% of Americans still use common passwords like Password, abc123 and 123456.

So, we’re introducing a twist on spring cleaning this year: a digital cleaning to throw out old security advice and replace it with better practices. In honor of World Password Day today, we encourage everyone to start by leveraging the security protections built directly into our products that make every day Safer with Google.

Out with the old (cybersecurity myths)

As cybersecurity evolves, many of our old fears about it are no longer relevant or even true, especially with ongoing tech innovations. Here are a some of those myths we’re debunking today:

“It’s up to me to spot suspicious links on my own”: Phishing schemes can lead to serious cyber attacks, but by leveraging tech that is secure by default, you’re automatically protected from many of them. If you’re using Chrome or Gmail, we’ll proactively flag known deceptive sites, emails and links before you even click them, and Google Password Manager won’t autofill your credentials if it detects a fraudulent website. With the right security protections, which are set as default in Google products, less of the burden is on you.

“Avoid public Wi-Fi at all costs” The tech industry continues to make improvements to reduce security risks with public Wi-Fi, which has historically been the model for bad security practices. Websites using HTTPS provide secure connections using data encryption. Chrome offers HTTPS-First mode to prioritize those sites and makes it easy to identify protected pages with a lock icon in your web address bar. Use that as a signal for which websites to visit.

“Bluetooth is dangerous”: Bluetooth technology has come a long way since its inception. It’s far more advanced and harder to break into, especially in comparison with other technologies. However some people might still question whether Bluetooth, familiar as a pairing technology, is a secure method to help you sign in. After all, you’re used to seeing nearby devices like your phone or headphones show up on your laptop. But using current Bluetooth standards is very secure, and doesn’t actually involve pairing. It’s used to ensure your phone is near the device you’re signing in to, confirming it’s really you trying to access your account.

“Password managers are risky”: It might seem risky to entrust all your credentials in a single provider, but password managers are designed for security —and if you use ours, built directly into Chrome and Android, then you know it’s secure by default. Our research shows that 65% of people still reuse their credentials for various accounts, password managers solve that problem by creating new passwords for you and ensuring their strength. They’re also increasingly more secure, in fact, we recently launched a new on-device encryption for Google Password Manager, allowing you to keep your passwords more private and protected with your Google Account credentials before they’re sent to us for storage.

“Cybercriminals won’t waste their time targeting me”: You might not be a high-profile figure, but that doesn’t mean you’re not on cybercriminals’ radars. In fact, the everyday person is the perfect target for social engineering, which is when an attacker manipulates you into sharing personal information used for a cyber attack. Social engineers do this for a living and it’s a low cost, low effort way to reach their goals, especially in comparison to physically breaking technology or trying to target someone in the public eye. Protect yourself by being aware of social engineering and taking advantage of products that are secure by default like Gmail, Chrome, etc.

In with the new (digital spring cleaning)

Similar to how you clean out your garage each spring, we encourage you to spruce up your security. Get started with these tips and take a quick Security Checkup, which will guide you through protections that can instantly secure your Google Account.

• Use 2-Step Verification (2SV): 2SV requires a second form of verification to access your account beyond your password — which could be a code sent to your phone, security key, etc. So, if someone tries to access your account, they will have a much harder time because they’ll need your password and second form of verification. Apply 2SV to secure your Google Account today, which will also cover all the services you use Sign in with Google for, with a simple tap on your device.

• Use a Password Manager: Now that you know the truth about password managers, use one in addition to 2SV. Google Password Manager, built into Chrome and Android, will store your passwords, auto populate them for sites, create strong passwords, ensure they’re not entered into malicious sites, and alert you when they’re compromised.

• Setup Account Recovery: Things happen, we lose our phones, forget our passwords, etc., so it’s critical to have recovery in place to gain access to your account in the event you’re locked out. This is especially true since other accounts utilize your email as a recovery method, so by keeping your Google Account recoverable, you do so for your other accounts as well. We’re also working to eliminate more inactive accounts for the safety of our users, so if your account becomes inactive and we take action, recovery and 2SV enablement will ensure you don’t lose data. Add a recovery email and phone number to your accounts today and sign up for Inactive Account Manager in addition to 2SV.

• Install Updates: Finally, apply all those updates you’ve been putting off across your devices. Software updates often address critical security vulnerabilities, and with cyber threats on the rise, they’re more important than ever. Remember, there’s no IT team dedicated to maintaining your security like there may be at work, so it’s up to you to protect yourself at home. Take time to survey your mobile device, router, computer, etc., for updates.

We know security news will continue to flood your feeds today, but keep these tips in mind and freshen up your security this spring. For more security tips, and to learn about all the ways we make every day Safer with Google, visit ourSafety Center.

Today passwords are essential to online safety, but threats like phishing, scams, and poor password hygiene continue to pose a risk to users. Google has long recognized these issues, which is why we have created defenses like 2-Step Verification and Google Password Manager.

However, to really address password problems, we need to move beyond passwords altogether, which is why we’ve been setting the stage for a passwordless future for over a decade.

Today, in honor of World Password Day, we’re announcing a major milestone in this journey: We plan to implement passwordless support for FIDO Sign-in standards in Android & Chrome. Apple and Microsoft have also announced that they will offer support for their platforms. This will simplify sign-ins across devices, websites, and applications no matter the platform — without the need for a single password. These capabilities will be available over the course of the coming year.

How will a passwordless future work?

When you sign into a website or app on your phone, you will simply unlock your phone — your account won’t need a password anymore.

Instead, your phone will store a FIDO credential called a passkey which is used to unlock your online account. The passkey makes signing in far more secure, as it’s based on public key cryptography and is only shown to your online account when you unlock your phone.

To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access. Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer. Even if you lose your phone, your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off.

Paving the way to passwordless

The passkey will bring us much closer to the passwordless future we’ve been mapping out for over a decade.

We’re excited for what the passkey future holds. That said, we understand it will still take time for this technology to be available on everyone’s devices and for website and app developers to take advantage of them. Passwords will continue to be part of our lives as we make this transition, so we’ll remain dedicated to making conventional sign-ins safer and easier through our existing products like Google Password Manager.