Log4j Lesson: Improvements in Open Source Software Need Federal Help



While much of this software is written by employees of tech companies whose products are based on open source code, the developer community is decentralized, often resource-poor, and generally more focused on adding new features. than on securing existing ones. But amid urgent pressure to fix vulnerable devices, open source security specialists say recent advancements will make future disasters less likely, especially if this work receives a boost from the federal government.

“There’s a lot more control over the software now,” said David Wheeler, director of open source supply chain security at the Linux Foundation. “We have a lot of people who decided it was big enough to invest time, money and people. “

Cyber ​​pros have been calling for this kind of heightened attention for years, especially after a massive encryption vulnerability called Heartbleed discovered in 2014 was attributed to flaws in the open-source OpenSSL crypto library. At the time, security advocates complained that big tech companies had done too little to support the handful of developers who maintained OpenSSL, mostly in their spare time.

Such complaints resurfaced after the discovery this month of the Log4j flaw.

Yet, over the past year, several large-scale efforts to strengthen the security of open source code have reached their peak, mostly under the auspices of the Open Source Security Foundation of the Linux Foundation. The group published a guide to help software developers disclose vulnerabilities and coordinate with organizations that rely on their code, a dashboard that can automatically assess the security posture of a software project, a framework for integrate anti-tampering protections into the code and a service that delivers security. certificates to help developers prove that their software updates are genuine.

“It’s about defining an expectation… because, what does it mean to be safe? Brian Behlendorf, CEO of the Open Source Security Foundation, spoke about these initiatives.

Some tech giants have stepped in to help. Google has pledged $ 100 million to groups focused on improving open source security. “We are looking, through foundations and financial aid, to find ways to help [developers] doing the right thing, ”said Eric Brewer, vice president of infrastructure at Google and founder of the Open Source Security Foundation.

But security experts say the fragmented and underfunded open source community also needs major help from the federal government to find and fix loopholes in neglected pockets of widely used code.

“It’s amazing how much of the core business critical software actually isn’t that complicated [and] does not require large development teams, ”said Behlendorf. Grants of $ 50,000 or $ 80,000 to pay a few people for a few months “could make a big difference,” he said.

Allan Friedman, senior advisor and strategist at CISA, agreed that government has an important role to play, especially given its ability to see as a whole how and where open source code underpins critical systems.

The federal government has “a very big picture of software,” Friedman said. “We can help prioritize projects that are essential to the national mission and also where we may not have sufficient existing resources. “

Supporters of the open-source model have long touted its security advantages over proprietary closed-source software, saying the ability to publicly share code and collaborate on fixes makes it easier to fix vulnerabilities that might otherwise go unnoticed. Open source software has become ubiquitous on the Internet and in a multitude of computer systems, including major products such as Apache’s web server and the Linux family of operating systems that also form the basis of Android.

But in practice, Log4j and other equally ubiquitous open source libraries often receive little dedicated review and maintenance, allowing vulnerabilities to remain hidden for long periods of time.

And while some foundations receive significant financial support from companies that rely on open source code – Behlendorf said automakers “care a lot about all of this” – others operate on tight budgets.

Federal agencies rely heavily on open source code, so funding targeted security reviews of specific software packages would be in the government’s direct interest.

“This is important critical infrastructure,” Brewer said, “and it needs the same kind of support as all other critical infrastructure.”

Two other solutions will require a combination of federal government and industry efforts.

The Log4j emergency highlighted the federal government’s efforts to create a standard approach to a feature called software nomenclature, a list of digital ingredients that would help software users understand where its code is coming from. By reviewing these ingredient lists, organizations can determine if they are using software that contains vulnerable code.

But few companies maintain accurate and complete inventories of their software, or have the technology to automatically process ingredient lists. “It’s definitely not a panacea,” Brewer said.

Still, “it will be very difficult to progress without SBOM,” said Friedman, who oversaw SBOM’s work at the National Telecommunications and Information Administration before joining CISA. “Transparency in the software supply chain is going to be essential… to understand where our exposures are, where our risks are and where the opportunities for help lie. “

Teaching cybersecurity to new coders is more important than any new technology. University courses and online coding platforms “don’t usually talk” about security, Wheeler said. “We get exactly the kind of software we should expect when we don’t teach anyone” how to write secure code and find bugs.

Congress, CISA and NIST have paid particular attention to cybersecurity education in recent years. Federal guidelines on software security programs and grants to schools that offer them could help improve security literacy.

Despite surges such as the Log4j Crisis, those most closely involved in open source security initiatives predict major ecosystem improvements over the next several years.

“The future is very, very bright,” Wheeler said. “Things are going to get better pretty quickly, thanks to all the attention and effort people put into it.”



Comments are closed.