Google seeks government help to secure critical open-source software


Google has called for a public-private partnership to identify a list of critical open source projects and find new ways to identify software that could pose systemic risk, as the world grapples with the recent open source software vulnerability log4j which has put millions of devices at risk of hacking.

Following an open source security summit at the White House on Thursday, Google said government and private sector collaboration is needed for open source funding and management.

“We need a public-private partnership to identify a list of critical open source projects – with criticality determined based on a project’s influence and importance – to help prioritize and allocate resources to the most essential security assessments and enhancements,” said Kent Walker, president of global affairs and chief legal officer of Google and Alphabet.

Open source software code is publicly available, free for anyone to use, modify, or inspect.

As it is freely available, open source facilitates collaborative innovation and the development of new technologies to help solve shared problems.

“That’s why many aspects of critical infrastructure and national security systems incorporate it. But there is no formal allocation of resources and few formal requirements or standards to keep this code secure. critical,” Google said.

In fact, most open source maintenance and security improvement work, including fixing known vulnerabilities, is done on an ad hoc, voluntary basis.

“Longer term, we need new ways to identify software that could pose systemic risk – based on how it will be integrated into critical projects – so that we can anticipate the level of security required and provide appropriate resources,” Google noted.

“Log4j” vulnerabilities represent a complex and high-risk situation for businesses around the world.

This open source component is widely used in software and services from many vendors.

“Sophisticated adversaries (such as nation-state actors) and commodity attackers have been observed taking advantage of these vulnerabilities. There is strong potential for widespread use of the vulnerabilities,” according to Microsoft.

Cybercriminals are making thousands of attempts to exploit a second vulnerability involving a Java logging system called “Apache log4j2”.

Google recently said that more than 35,000 Java packages, representing over 8% of the Maven Central repository (the largest Java package repository), were affected by the recently disclosed vulnerabilities with widespread fallout across the software industry. .

The Apache Software Foundation has released several updates as a result of the widespread “Log4Shell” vulnerability in the Log4j version 2 branch.



(Only the title and image of this report may have been edited by Business Standard staff; the rest of the content is auto-generated from a syndicated feed.)

Dear reader,

Business Standard has always endeavored to provide up-to-date information and commentary on developments that matter to you and that have wider political and economic implications for the country and the world. Your constant encouragement and feedback on how to improve our offering has only strengthened our resolve and commitment to these ideals. Even in these challenging times stemming from Covid-19, we remain committed to keeping you informed and updated with credible news, authoritative opinions and incisive commentary on relevant topical issues.
However, we have a request.

As we battle the economic impact of the pandemic, we need your support even more so that we can continue to bring you more great content. Our subscription model has received an encouraging response from many of you who have subscribed to our online content. More subscriptions to our online content can only help us achieve the goals of bringing you even better and more relevant content. We believe in free, fair and credible journalism. Your support through more subscriptions can help us practice the journalism we are committed to.

Support quality journalism and subscribe to Business Standard.

digital editor


Comments are closed.