White House reminds tech giants that open source is a national security issue

The White House wants government and private sector organizations to mobilize efforts and resources to secure open source software and its supply chain after vulnerabilities in Log4J exposed critical infrastructure to attacks from threat actors.

Discussions on this topic took place at the Open Source Software Security Summit convened by the Biden administration on Thursday.

Participants focused on three topics: preventing security flaws and vulnerabilities in open source software, improving the process of detecting and fixing security flaws, and reducing the time required to deliver and deploy patches.

“Most major software packages include open source software – including software used by the national security community,” a reading from the Software Security Meeting bed.

“Open source software provides unique value and presents unique security challenges, due to its breadth of use and the number of volunteers responsible for its ongoing security maintenance.”

At the summit, Google has offered the creation of a new organization that would act as a marketplace for open source maintenance that would connect volunteers from participating companies with critical projects that need support the most.

For too long, the software community has comforted itself with the assumption that open source software is generally secure because of its transparency and the assumption that “many eyes” are watching to detect and fix problems. But in fact, while some projects have a lot of eyes on them, others have few or none at all. The growing reliance on open source means it’s time for industry and government to come together to establish baseline standards for security, maintenance, provenance and testing, to ensure that the infrastructure National and other major systems can rely on open source projects. These standards should be developed through a collaborative process, with an emphasis on frequent updates, continuous testing, and verified integrity. — Kent Walker, President of Global Affairs and Chief Legal Officer of Google and Alphabet

This White House summit follows recent and ongoing attacks targeting critical security vulnerabilities in the open-source and ubiquitous Java-based logging library Apache Log4j that has exposed individuals and businesses to runtime attacks remote code.

The meeting was attended by Anne Neuberger, Deputy National Security Advisor, and Chris Inglis, National Director of Cybersecurity.

They were joined by officials from several federal agencies, including the Department of Defense, Department of Commerce, Department of Energy and Department of Homeland Security, as well as representatives from the Cybersecurity and Infrastructure Security Agency ( CISA), National Institute of Standards and Technology and National Science Foundation.

The private sector organizations that joined the meeting are, in alphabetical order: Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook/Meta, GitHub, Google, IBM, Linux Foundation, Open Source Security Foundation, Microsoft , Oracle, RedHat, VMware.

President Biden previously made software security a national priority after issuing an executive order to strengthen America’s cybersecurity defenses in May 2021.

Biden’s executive order on cybersecurity came after the SolarWinds supply chain attack in December.

It calls on the U.S. government to strengthen supply chain security by developing guidelines, tools, and best practices to audit and ensure malicious actors are not meddling with critical software.

The same executive order also states that only companies that use secure software development lifecycle practices can sell their products to the federal government, leveraging the government’s purchasing power to make improvements to the software supply chain. software.