Making Open-Source Safer


This post is also available in: עברית (Hebrew)

More than a month after the Log4Shell critical vulnerability was first spotted, stakeholders in the tech industry attended a White House cybersecurity meeting to discuss initiatives to improve open-source software security and advance new collaboration to rapidly drive improvements.

Most major software packages include open-source software – including the software used by the national security community, according to the White House statement. Open-source software brings unique value, and has unique security challenges, because of its breadth of use and the number of volunteers responsible for its ongoing security maintenance.

The meeting included officials from different federal agencies including Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security and the Department of Defense.

Private sector organizations participating in included Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook/Meta, GitHub, Google, IBM, the Linux Foundation, the Open Source Security Foundation, Microsoft, Oracle, RedHat, VMWare.

The discussion focused on three topics: Regarding the prevention of security defects and vulnerabilities in code and open source packages – the parties discussed ideas to make it easier for developers to write secure code by integrating security features into development tools and securing the infrastructure used to build, warehouse and distribute code. 

Improving the process for finding defects and fixing them – participants discussed how to prioritize the most important open-source projects and put in place sustainable mechanisms to maintain them. 

Finally, regarding the shortening of the response time for distributing and implementing fixes, the White House statement said participants discussed ways to accelerate and improve the use of Software Bills of Material (a list of components in a piece of software), as required in the President’s Executive Order, to make it easier to know what is in the software we purchase and use.

Following the meeting, Kent Walker, Google president Global Affairs & chief legal officer Google & Alphabet, said that the use of open-source software is foundational to digital infrastructure. “Given the importance of digital infrastructure in our lives, it’s time to start thinking of it in the same way we do our physical infrastructure. Open-source software is a connective tissue for much of the online world — it deserves the same focus and funding we give to our roads and bridges,” he wrote.