The White House wants government and private sector organizations to rally their efforts and resources to secure open-source software and its supply chain after the Log4J vulnerabilities exposed critical infrastructure to threat actors’ attacks.
Discussions on this topic took place during the Open Source Software Security Summit convened by the Biden administration on Thursday.
Participants focused on three topics: preventing security defects and vulnerabilities in open source software, improving the process for finding security flaws and fixing them, and shrinking the time needed to deliver and deploy fixes.
“Most major software packages include open source software – including software used by the national security community,” a readout of the meeting on software security reads.
“Open source software brings unique value, and has unique security challenges, because of its breadth of use and the number of volunteers responsible for its ongoing security maintenance.”
During the summit, Google proposed the creation of a new organization that would act as a marketplace for open source maintenance that would match volunteers from participating companies with critical projects that need the most support.
For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that ‘many eyes’ were watching to detect and resolve problems. But in fact, while some projects do have many eyes on them, others have few or none at all. Growing reliance on open source means that it’s time for industry and government to come together to establish baseline standards for security, maintenance, provenance, and testing — to ensure national infrastructure and other important systems can rely on open source projects. These standards should be developed through a collaborative process, with an emphasis on frequent updates, continuous testing, and verified integrity. — Kent Walker, President Global Affairs & Chief Legal Officer Google and Alphabet
This White House summit follows recent and ongoing attacks targeting critical security vulnerabilities in the open-source and ubiquitous Apache Log4j Java-based logging library that exposed home users and enterprises alike to remote code execution attacks.
The meeting was attended by Deputy National Security Advisor Anne Neuberger and National Cyber Director Chris Inglis.
They were joined by officials from multiple federal agencies, including the Department of Defense, the Department of Commerce, the Department of Energy, and the Department of Homeland Security, as well as representatives from the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology, and the National Science Foundation.
Private-sector organizations that joined the meeting include, in alphabetical order: Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook/Meta, GitHub, Google, IBM, the Linux Foundation, the Open Source Security Foundation, Microsoft, Oracle, RedHat, VMWare.
President Biden has previously made software security a national priority after issuing an Executive Order to increase US cybersecurity defenses in May 2021.
Biden’s cybersecurity Executive Order came after the December SolarWinds supply chain attack.
It asks the US government to boost supply-chain security by developing guidelines, tools, and best practices to audit and ensure that malicious actors do not meddle with critical software.
The same Executive Order also says that only companies which use secure software development lifecycle practices can sell their products to the federal government, leveraging the government’s purchasing power to drive improvements in the software supply chain.