Google released a new research report on Dec. 8 outlining how organizations can better defend themselves against cyberattacks that target their software supply chains.
The report follows up on supply chain security concerns brought to light by exploits such as the SolarWinds software supply chain attack, and efforts to guard against Log4j vulnerabilities.
“We believe that software supply chain security is one of the most critical national security risks facing governments worldwide and there is an urgent need to come together as an industry to address it,” Google said.
The report sets out a list of recommendations to better defend supply chains, with a key component being that organizations need to work together on that task.
“Resilience against sophisticated cyber attacks now requires all organizations to secure their software supply chains,” the report says.
It also says that organizations must take more responsibility to stop supply chain risks that may stem from open source software. “As open source software use grows, organizations should take on additional security responsibilities to address supply chain risk,” Google said.
The report also pitches the use of Supply-chain Levels for Software Artifacts (SLSA) to verify important supply chain software. “Industry’s SLSA framework can help all organizations securely build and verify the integrity of software,” it says.
Finally, the report recommends a more holistic approach when it comes to securing software supply chains.
“A more holistic approach to software supply chain attacks will strengthen defenses worldwide. This includes a common strategy across government, industry, academia, and the open source community to better equip all stakeholders with the tools they need to address software supply chain risk,” the Google report says.