- The White House convened an Open Source Software Security Summit Thursday, bringing together top national security and cyber officials to discuss ways to boost the open source software security following the Log4j vulnerability, which threatened millions of devices and applications.
- Major technology providers, including Google, called for a public-private partnership that will help fund and establish standards for the open source community to prevent another recurrence of the Log4j vulnerability.
- "Given the importance of digital infrastructure in our lives, it's time to start thinking of it in the same way we do our physical infrastructure," Kent Walker, president global affairs and chief legal officer at Google and parent firm Alphabet.
The White House brought together representatives from some of the nation's leading technology companies to meet with key federal agencies in an effort to regain a sense of control as the Log4j crisis threatens the stability of millions of applications that depend on Java libraries.
The discussion focused on three main topics, according to a White House readout:
- Prevent security vulnerabilities and defects in code and open source packages. Make it easier to integrate security features into development tools, possibly using code signing or stronger digital identities.
- Create a better way to find and fix defects. The most important open source projects should be prioritized with sustainable ways to maintain them.
- Reducing the response time for distributing and implementing fixes. Officials discussed ways to accelerate and improve the software bill of materials.
National Security Advisor Jake Sullivan, when asked about open source commitments during the White House daily briefing Thursday, said the summit was a "constructive discussion" about helping the public and private work together to become more resilient.
Cybersecurity analysts said the meeting may help bridge the gap between an open source community that some feel has not been provided the proper support and an industry that is highly dependent on these libraries to operate.
"This is an early step, but it was good to see that the government and the industry recognizes that open source security remains a challenge and is prepared to push more on the problem," Sandy Carielli, principal analyst at Forrester said.
Any effort to improve security must consider the needs of the open source maintainer and consumer, Carielli said. Certain tools and programs are needed to maintain security of the software, while users need to be sure they are downloading the correct versions and not malicious libraries.
"Open source software underpins the vast majority of the software we all use daily — just one or two lines of vulnerable code can have a global ripple effect across the billions of developers and services that rely on it," Mike Hanley, chief security officer at GitHub, said in a statement.
Apache Software Foundation is committed to working with industry and government users of open source software to improve security, while remaining true to its original mission, the organization said in a blogpost. ASF President David Nally attended the summit, along with Mark Cox, VP of security and board member Sam Ruby.
"This means that we believe the path forward will require upstream collaboration by the companies and organizations that consume and ship open source software," Apache officials said.
Akamai Technologies called for the government and industry to prioritize investment in new technologies that will increase visibility into the use of open source, ideally using automated tools. Key open source libraries should be identified and the technology community should provide additional support through active participation and financial investment.
"Government and private sector organizations must invest in tools that reveal the reliance on open source technologies and crucially, take action to mitigate and contain risks to strengthen the security of the ecosystem at large," said Dr. Boaz Gelbord, SVP, CSO at Akamai, and an attendee at the summit.