Google calls for new government action to protect open source software projects


Following an open source security summit held Thursday at the White House, Google called for increased government involvement in identifying and securing critical open source software projects.

In one blog post Released shortly after the summit, Kent Walker, president of global affairs and chief legal officer of Google and Alphabet, said government-private sector collaboration was needed for open source funding and management.

“We need a public-private partnership to identify a list of critical open source projects – with criticality determined based on a project’s influence and importance – to help prioritize and allocate resources to the most essential security assessments and improvements,” Walker wrote.

The blog post also called for increased public and private investment to keep the open source ecosystem secure, especially when the software is used in infrastructure projects. For the most part, funding and review of these projects are provided by the private sector.

The White House had not responded to a request for comment at the time of publication.

“Open source software code is publicly available, free for anyone to use, modify, or inspect….That’s why many aspects of critical infrastructure and national security systems incorporate it,” said writes Walker. “But there is no formal allocation of resources and few formal requirements or standards to maintain the security of this critical code. In fact, most of the work to maintain and improve open source security, including fixing known vulnerabilities, is done on an ad hoc, voluntary basis.

Lack of funding and resources for open source development has long been raised as a security issue and re-emerged as a key issue after the discovery of a serious bug in the Log4j Java library, which quickly became the biggest vulnerability. cybersecurity in recent years. year. The Log4j library was also developed and maintained largely by unpaid labor.

When open source projects receive funding, it usually comes from private sources such as individual donations or sponsorship from technology companies. Google recently contributed $1 million to the Secure open source (SOS) awards program, a pilot program run by the Linux Foundation to financially reward developers working to improve the security of open source projects.

In a statement, Eric Brewer, vice president of infrastructure at Google, said:

“Although it was called a summit, today’s meeting was actually a working session to develop concrete and pragmatic solutions to improve open source security. Participants largely agreed on approaches to identify and secure critical projects, and in particular to underwrite these efforts with real investment. It is especially crucial that those maintaining open source projects receive the resources and support they need to ensure that they are well maintained and able to patch vulnerabilities quickly. We commend the White House for its leadership on this important issue. »

Updated January 14 at 8:50 a.m. ET: This article has been updated to add a statement from Eric Brewer.


Comments are closed.