Google has called for a public-private partnership to identify a list of critical open source projects and find new ways to identify software that could pose systemic risk, as the world grapples with the recent open source software vulnerability log4j which has put millions of devices at risk of hacking.
Following an open source security summit at the White House on Thursday, Google said government and private sector collaboration is needed for open source funding and management.
“We need a public-private partnership to identify a list of critical open source projects – with criticality determined based on a project’s influence and importance – to help prioritize and allocate resources to the most essential security assessments and enhancements,” said Kent Walker, president of global affairs and chief legal officer of Google and Alphabet.
Open source software code is publicly available, free for anyone to use, modify, or inspect.
As it is freely available, open source facilitates collaborative innovation and the development of new technologies to help solve shared problems.
“That’s why many aspects of critical infrastructure and national security systems incorporate it. But there is no formal allocation of resources and few formal requirements or standards to keep this code secure. critical,” Google said.
In fact, most open source maintenance and security improvement work, including fixing known vulnerabilities, is done on an ad hoc, voluntary basis.
“Longer term, we need new ways to identify software that could pose systemic risk – based on how it will be integrated into critical projects – so that we can anticipate the level of security required and provide appropriate resources,” Google noted.
“Log4j” vulnerabilities represent a complex and high-risk situation for businesses around the world.
This open source component is widely used in software and services from many vendors.
“Sophisticated adversaries (such as nation-state actors) and commodity attackers have been observed taking advantage of these vulnerabilities. There is strong potential for widespread use of the vulnerabilities,” according to Microsoft.
Cybercriminals are making thousands of attempts to exploit a second vulnerability involving a Java logging system called “Apache log4j2”.
Google recently said that more than 35,000 Java packages, representing over 8% of the Maven Central repository (the largest Java package repository), were affected by the recently disclosed vulnerabilities with widespread fallout across the software industry. .
The Apache Software Foundation has released several updates as a result of the widespread “Log4Shell” vulnerability in the Log4j version 2 branch.
(Only the title and image of this report may have been edited by Business Standard staff; the rest of the content is auto-generated from a syndicated feed.)