Log4J: After White House meeting, Google and IBM call for list of critical open source projects | ZDNet
Google and IBM are urging tech organizations to join forces for an effort to identify critical open source projects after attending a White House meeting on open source security concerns.
The meeting, led by White House cybersecurity leader Anne Neuberger, included officials from organizations like Apache, Google, Apple, Amazon, IBM, Microsoft, Meta, Linux, and Oracle as well as government agencies like the Department of Defense and the Cybersecurity and Infrastructure Security Agency (CISA). The meeting took place as organizations continue to address the Log4j vulnerability that has caused concern since it was discovered in December.
Kent Walker, president of global affairs at Google and Alphabet, said that given the importance of digital infrastructure to the world, it is time to start thinking of it in the same way we do our physical infrastructure.
“Open source software is a connective tissue for much of the online world – it deserves the same focus and funding we give to our roads and bridges. Today’s meeting at the White House was both a recognition of the challenge and an important first step towards addressing it,” Walker said.
In a blog post, Walker explained that during the meeting, Google floated several proposals for how to move forward in the wake of the Log4J vulnerability.
Walker said a public-private partnership is needed to identify a list of critical open source projects and said criticality should be determined based on the influence and importance of a project. The list will help organizations prioritize and allocate resources for the most essential security assessments and improvements.
“Longer term, we need new ways of identifying software that might pose a systemic risk — based on how it will be integrated into critical projects — so that we can anticipate the level of security required and provide appropriate resourcing,” Walker said, adding that there also need to be established security standards going forward.
“Growing reliance on open source means that it’s time for industry and government to come together to establish baseline standards for security, maintenance, provenance, and testing — to ensure national infrastructure and other important systems can rely on open source projects. These standards should be developed through a collaborative process, with an emphasis on frequent updates, continuous testing, and verified integrity.”
IBM’s enterprise security executive Jamie Thomas echoed Walker’s comments and said the White House meeting “made clear that government and industry can work together to improve security practices for open source.”
“We can start by encouraging widespread adoption of open and sensible security standards, identifying critical open source assets that should meet the most rigorous security requirements, and promoting a collaborative national effort to expand skills training and education in open source security and reward developers who make important strides in the field,” Thomas said.
Walker touted the work of organizations like the OpenSSF — which Google invested $100 million into — that are already seeking to create standards like this.
He also said Google proposed setting up an organization to serve as a marketplace for open source maintenance, matching volunteers from companies with the critical projects that most need support. He noted that Google was “ready to contribute resources” to the move.
The blog post notes that there is no official resource allocation and few formal requirements or standards for maintaining the security of critical open source code, explaining that most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, “is done on an ad hoc, volunteer basis.”
“For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that “many eyes” were watching to detect and resolve problems. But in fact, while some projects do have many eyes on them, others have few or none at all,” Walker said.
He touted Google’s work in the space and financial investments in addressing some of the security issues in foundational open source projects.
For all the latest Technology News Click Here