Technology leaders met at the White House yesterday to discuss ways to improve open source security in the wake of the Log4j saga.
According to an official statement on the meeting, the discussion focused on three areas: finding better ways to prevent, detect and mitigate vulnerabilities in code and accelerate the deployment of patches.
“In the first category, participants discussed ideas to make it easier for developers to write secure code by integrating security features into development tools and securing the infrastructure used to build, warehouse and distribute code, like using techniques such as code signing and stronger digital identities,” noted the White House statement.
“In the second category, participants discussed how to prioritize the most important open-source projects and put in place sustainable mechanisms to maintain them. In the final category, participants discussed ways to accelerate and improve the use of Software Bills of Material, as required in the President’s executive order, to make it easier to know what is in the software we purchase and use.”
Participants at the meeting included Alphabet, IBM, RedHat, Amazon, Apple, Meta, Microsoft, Oracle, the Apache Software Foundation, the Linux Foundation and the Open Source Security Foundation (OpenSSF).
Alphabet president of global affairs and chief legal officer, Kent Walker, later argued for greater public-private cooperation to identify the most critical open-source projects and the software that may pose the greatest systemic risks.
The community should then build on initiatives like OpenSSF, he said.
“Growing reliance on open source means that it’s time for industry and government to come together to establish baseline standards for security, maintenance, provenance and testing – to ensure national infrastructure and other important systems can rely on open source projects,” Walker said in a blog post.
“These standards should be developed through a collaborative process, with an emphasis on frequent updates, continuous testing, and verified integrity.”
Walker added that Google had suggested the creation of a new marketplace for open source maintenance that would help match volunteers from companies with critical projects that need support.
Another attendee, Akamai, went further, arguing that the tech community needed to provide financial investment to identify the key open source libraries targeted by threat actors and help in vulnerability management.
Echoing the White House statement, the firm called for better public-private information sharing to swarm problems when vulnerabilities are first identified and the development of “reliable containment plans” to protect consumers and businesses when bugs are inevitably exploited.
The Apache Software Foundation broadly welcomed moves to improve collaboration across open source, private tech companies and government.
“The ASF produces software for the public good. We are committed to working with the larger community, including industry and government consumers of open source software, to find ways to improve security while adhering to The Apache Way,” it said.
“This means that we believe the path forward will require upstream collaboration by the companies and organizations that consume and ship open-source software. There’s no single silver bullet to get there, and it will take all of our organizations working together to improve the open-source supply chain.