Tech giants like Amazon, Google, and Microsoft have pledged millions of dollars to bolster the security of open source software.
The commitment was made at a meeting in Washington, D.C. last week, where open source leaders, led by the Linux Foundation and the Open Source Software Security Foundation (OpenSSF), shared their plans to improve software supply chain security.
The industry gathering, attended by government leaders and more than 90 executives from 37 companies, follows the historic White House summit in January convened in the wake of the Log4Shell zero-day vulnerability in January. The flaw affected Apache’s Log4j library, a ubiquitous logging software, which endangered millions of devices worldwide. But according to a March study, almost a third of cases remain uncorrected.
At last week’s meeting, companies including Amazon, Ericsson, Google, Intel, Microsoft and VMware pledged $30 million to fund a 10-point plan to strengthen open source software security. Designed by the Linux Foundation and OpenSSF, this first-of-its-kind initiative aims to secure open source code production, improve vulnerability detection and remediation, and shorten patch response time. This will include creating a software bill of materials, known as SBOM, allowing companies to gain visibility into the software they use in their technology stack.
The so-called software supply chain security mobilization plan also calls for security training for everyone working in the open source community, the elimination of memoryless programming languages like C++ and COBOL, and annual third-party code reviews of 200 of the most critical open source software components.
The ultimate goal is to find and fix vulnerabilities like Log4Shell faster to better protect the United States from malicious cyberattacks that exploit insecure software platforms and devices.
“What we’re doing here together is bringing together a set of ideas and principles about what’s going on there and what we can do about it,” said Brian Behlendorf, executive director of OpenSSF. “The plan we have developed represents the 10 flags in the ground as a basis to begin with. We look forward to further feedback and commitments that will move us from plan to action.”
Google Cloud also announced at the summit that it would be launching a open source maintenance teama team of dedicated engineers who will work with upstream maintainers to harden the security of various open source projects.