Affected by the Log4j vulnerability, the U.S. White House this week held a meeting on open source security; discussing initiatives to improve open source software security and new ways to collaborate that could quickly drive improvements. As early as last December, White House National Security Advisor Jake Sullivan sent a letter to major technology companies indicating the need for such a conference; and in the letter noted that the maintenance of basic open source software by volunteers is a “national security issue.
Participants had a substantive and constructive discussion on how to make a difference in the security of open source software while effectively engaging and supporting the open source community. Discussions focused on three topics: preventing security flaws and vulnerabilities in code and open source packages, improving the process for finding flaws and fixing them, and reducing the response time to release and implement fixes.
The session was led by White House cybersecurity leader Anne Neuberger and included participants from Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook/Meta, GitHub, Google, IBM, Linux Foundation, Open Source Security Foundation, Microsoft, Oracle, RedHat and VMWare, as well as officials from government agencies such as the U.S. Department of Defense and the Cybersecurity and Infrastructure Security Agency (CISA). U.S. National Cyber Director Chris Inglis said, “The situation surrounding Log4j underscores the need to improve our software security and transparency in the software supply chain.”
In a blog post, Kent Walker, president of global affairs and chief legal officer for Google & Alphabet, said, open source software code is open to the public and free for anyone to use, modify or inspect. Open source promotes collaborative innovation and the development of new technologies to help solve common problems; that’s why some critical infrastructure and many aspects of national security systems apply open source software. But there are no official resource allocations, nor are there formal requirements or standards for maintaining the security of that critical code. In fact, much of the work to maintain and enhance open source security, including fixing known vulnerabilities, is done on an ad hoc, voluntary basis.
“For a long time, the software community has assumed that open source software is generally secure. Because it is transparent and assumes that ‘many eyes’ are watching to find and fix problems. But in fact, while some projects do have a lot of eyes on them, there are many others that have little or no attention.”
For its part, Google made a number of suggestions at the conference on how to further create a new model for maintaining and securing open source software. Included were.
- Identify key projects. A public-private partnership is needed to identify a list of critical open source projects; where criticality is determined by the impact and importance of the project to help prioritize and allocate resources to the most basic security assessments and improvements.
- Establish security, maintenance and testing baselines. Walker noted that these standards should be developed through a collaborative process that emphasizes frequent updates, ongoing testing, and validation of integrity. And using OpenSSF as an example, “Fortunately, the software community has gotten off to a good start. Organizations like OpenSSF are already working across industries to create these standards (including supporting efforts like our SLSA framework).”
- Increase public and private support. Google is proposing to create an organization that would act as an open source maintenance marketplace, matching volunteers from the company with the critical projects that need the most support. And it states that Google “stands ready to contribute resources to this initiative.”
On the first point above, Jamie Thomas, IBM’s director of enterprise security, agreed and noted, the White House meeting made clear that “government and industry can work together to improve the security practices of open source. We can start by encouraging the widespread adoption of open and reasonable security standards, identifying critical open source assets that should meet the most stringent security requirements, and fostering nationwide collaboration to expand skills training and education in open source security and reward developers who make significant progress in this area.
Joe Brockmeier, vice president of marketing at the Apache Software Foundation, also said in a statement that there is no single “panacea.” The path forward will require upstream collaboration among the companies and organizations that use and distribute open source software.