Google has described its attempts to shape the US government’s zero-trust strategy based on Biden’s cybersecurity Executive Order from May.
Google’s $10 billion pledge to strengthen critical US infrastructure includes expanding zero-trust programs, assisting in the security of software supply chains, and improving open-source safety.
Its efforts will see the business use programs ongoing at Google for many years—ranging from open-source fuzzing tools to financing Linux kernel engineers to work on security. It comes after US President Joe Biden earlier this week called on the CEOs of Apple, Google, Microsoft, and JPMorgan Chase to strengthen the nation’s vital infrastructure protection.
Although Google was not one of the 18 cybersecurity firms chosen to work with the US Department of Commerce’s National Institute of Standards and Technology (NIST) program, it will establish Zero Trust designs.
According to Eric Brewer and Dan Lorenc in a blog post, the company is now collaborating with NIST to develop a framework. Zero Trust assumes a network has been infiltrated and refocuses cybersecurity on apps, data, and people rather than the network perimeter.
Instead of being reactive to vulnerabilities, we should be proactive in eliminating them with secure languages, platforms, and frameworks that prevent entire classes of defects, Brewer and Lorenc added. “It is safer and more cost-effective to prevent problems before they leave the developer’s keyboard than it is to try to address vulnerabilities and their aftermath. At Wednesday’s White House cybersecurity meeting, Biden appealed to the private sector, stating that the federal government alone could not fulfill the burden of defending critical infrastructure from cyberattacks.
Google and Microsoft
Following recent high-profile cyberattacks such as the Colonial Pipeline ransomware attack, the SolarWinds software supply chain attack. Widespread hacking of Microsoft Exchange server vulnerabilities.
According to The Washington Post, Biden stated. Brewer responded to Biden’s cybersecurity Executive Order 14028 on increasing software supply chain security with four papers in June.
One of the papers examines the security issues associated with coding in the C programming language and the advent of Rust.
Real-world C code is challenging and frequently necessitates sophisticated reasoning about heap memory structures. Similarly, because data often passes through numerous components on its path from inputs to outputs, such as a storage schema, it is difficult to assure adequate validation and escaping for all data that flows into a web application’s HTML markup.”
On the other hand, Rust has emerged as a viable alternative to C and C++ as a systems-development language, embodying a secure-by-construction approach to memory safety. To that aim, Google supports a plan to incorporate Rust as a second language to C into the Linux kernel. Microsoft and Amazon Web Services also support Rust as a memory-safe alternative to C and C++ for system programming.
Software code testing
Google promotes software code testing, including using Microsoft-owned GitHub technologies like Dependabot, a tool for keeping open-source software packages or dependencies up to date.
As part of the official US response to software supply chain threats, Google has expressed its thoughts on the concept of software bill of materials (BOMs). The Linux Foundation is funding this element of Biden’s directive. Due to the large number of library dependencies utilized in modern applications, it is difficult to tackle in both open-source and commercial software.
BOMs require a reasonable signal-to-noise ratio. If they contain too much information, they will be useless, so we urge the NTIA to establish both minimum and maximum granularity and depth requirements for specific use-cases,” Google stated.