The White House and tech companies come together to strengthen the security of open source software

0

Amid ongoing issues with Log4J, the White House recently met with tech players to discuss how to make open source more secure.

Stakeholders from the tech industry, ranging from hyperscalers to open source developers, attended a cybersecurity meeting at the White House last week. There they met with representatives from different federal agencies, including Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security, and the Department of Defense to discuss how to improve the security of open source software.

“The discussion focused on three topics: preventing security flaws and vulnerabilities in open source code and packages, improving the process of finding and fixing flaws, and shortening the response time for distribution and the implementation of corrective measures”, says a statement of the White House.

The White House said the primary focus of the discussion was to strengthen the security features of developer tools. Prioritizing open-source projects with sustainable maintenance can address the administration’s second major concern, he said.

Finally, the administration referred to a executive decree on cybersecurity he published last May. The order sets a baseline security standard for software sold to the government.

“All participants – private sector and government – will continue discussions to support these initiatives in the coming weeks, which are open to all interested public and private actors,” the administration said.

Log4Shell remains a major cybersecurity issue

Although administrative comments did not identify any specific open source software, this event comes just over a month after the Log4Shell exploit was first spotted in the wild.

The exploit is specific to certain versions of Log4J, an Apache Java-based logging software tool. It is very widely used on all sorts of devices capable of running Java, as part of basic diagnostic services. The exploit allows a malicious actor to take control of the device. The US CISA has classified Log4Shell as a critical vulnerability.

Pressuring companies to prioritize Log4J updates has also prompted the US Federal Trade Commission (FTC) to take the rare step of clash of legal sabers to encourage compliance, reminding businesses of the 2019 settlement with credit bureau Equifax.

“The FTC intends to use its full legal authority to prosecute companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future. “, said the agency.

The exploit remains – and will remain – a persistent problem, according to Microsoft.

“This open-source component is widely used in software and services from many vendors,” Microsoft said. “By nature, Log4j being a component, vulnerabilities affect not only applications that use vulnerable libraries, but also all services that use these applications, so customers may not easily know how widespread the problem is in their environment.”

Private sector organizations participating in last week’s meeting included Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook/Meta, GitHub, Google, IBM, Linux Foundation, Open Source Security Foundation, Microsoft, Oracle , Red Hat, VMWare.

Following the meeting, Kent Walker, President of Google Global Affairs and Google & Alphabet General Counsel, offered his point of view.

Walker said security through transparency is falling flat these days. Especially if there aren’t resources in place to find issues, fix issues, and maintain the code. Walker explained that using open source software is fundamental to digital infrastructure. He said it parallels investments in real-world infrastructure, so critical to the domestic politics of this administration.

“Given the importance of digital infrastructure in our lives, it’s time to start thinking about it the same way we think about our physical infrastructure. Open source software is a connective tissue for much of the online world – it deserves the same attention and funding we give to our roads and bridges,” he wrote.

Share.

Comments are closed.