Open-source software is integral to modern development, including critical infrastructure. It’s transforming the way we build and deploy technology. However, the security of the software supply chain remains a global challenge, creating potential vulnerabilities with a cascading impact.
Under Google’s Digital Future Initiative and CSIRO’s Critical Infrastructure Protection and Resilience developing mission, we have announced a new partnership which will see Google and CSIRO work together to develop tools and frameworks that help Australian CI operators meet critical obligations around software supply chain security, including those in the amended Security of Critical Infrastructure (SOCI) Act and Australia’s Cyber Security Strategy.
The tools and frameworks will focus on accurately identifying and fixing vulnerabilities in open source software components that have become an increasingly important part of digital transformation for Australia’s critical infrastructure, which includes everything from public utilities and hospitals to freight networks and groceries.
The partnership will see CSIRO work with the Google Open Source Security Team (GOSST) and Google Cloud to develop novel AI-powered tools for automated vulnerability scanners and data protocols that can quickly and precisely identify and assess the impact of open source vulnerabilities on Australian CI operators’ software supply chains.
The tools will tap on existing resources including Google’s OSV database for the most up-to-date intelligence on vulnerabilities. CSIRO’s applied research, including methods to test for responsible AI usage and tools for analysing software packages, will help to ensure reports and recommendations directly address the local regulatory and operating context of Australian operators.
Similarly, CSIRO and Google will collaborate on designing a secure framework that gives Australian CI operators clear guidance on how to meet current requirements and a baseline for future ones. The framework will adapt and extend the Supply-chain Levels for Software Artifacts (SLSA) framework originally created by Google, with insight from CSIRO’s Australian industry practices, to define multiple levels of software supply chain maturity as well as steps to achieve each one.
Google Cloud will provide secure and scalable infrastructure and solutions, including machine learning and Big Data capabilities as well as domain specific large language models, to accelerate the partnership’s research and translate it into tools or as-a-service offerings for CI operators. The GOSST team will provide its extensive expertise in the OSS supply chain security space, where GOSST is engaged with the OSS community and partners to elevate the security of the open source ecosystem through tools, infrastructure and frameworks.
To maximise the impact of this partnership, all project findings will be publicly available, allowing critical infrastructure sectors free and easy access.