Security Experts:

U.S. Government, Tech Giants Discuss Open Source Software Security

White House summit on open source software security

The White House on Thursday hosted a summit where representatives of the U.S. government and major tech companies discussed open source software security.

The recent disclosure and exploitation of vulnerabilities affecting the widely used Log4j logging utility have once again highlighted the importance of open source security and software supply chain security.

The goal of the White House summit was to identify ways to improve the security of open source software and effectively support the open source community.

The discussion focused on preventing vulnerabilities in open source code and packages, improving the process for finding and fixing flaws, and improving the response time for distributing and implementing patches.

“In the first category, participants discussed ideas to make it easier for developers to write secure code by integrating security features into development tools and securing the infrastructure used to build, warehouse and distribute code, like using techniques such as code signing and stronger digital identities,” the White House said following the summit.

It added, “In the second category, participants discussed how to prioritize the most important open source projects and put in place sustainable mechanisms to maintain them. In the final category, participants discussed ways to accelerate and improve the use of Software Bills of Material, as required in the President’s Executive Order, to make it easier to know what is in the software we purchase and use.”

Participants included representatives of the Biden administration, the Pentagon, the Department of Commerce, the Department of Energy, the Department of Homeland Security and its Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology, and the National Science Foundation.

The private sector was represented by Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook (Meta), GitHub, Google, IBM, the Linux Foundation, the Open Source Security Foundation, Microsoft, Oracle, RedHat and VMware.

Statements following White House meeting

Several of the tech giants and other organizations that attended issued statements on Thursday following the meeting. SecurityWeek has extracted some key points from their statements.

Akamai

Akamai advocates for the following five pillars through continued partnership with our customers — many of which are leaders in their respective industries — and in collaboration with the White House, National Security Council, and broader technology community:

  • Increase visibility into reliance on open source technologies
  • Identify key open source libraries and support strong ownership and vulnerability management 
  •  Build reliable containment plans for when exploits are identified
  • Improve cross-government and industry information sharing when vulnerabilities are first identified
  • Expand government authorization of solutions to increase defenses

Apache Software Foundation

[We]believe the path forward will require upstream collaboration by the companies and organizations that consume and ship open source software. There's no single "silver bullet" to get there, and it will take all of our organizations working together to improve the open source supply chain.

[...] 

Those who are familiar with the ASF know that we value community and having a level playing field for contributors. We believe today’s conversation is a good beginning that can help catalyze and direct a wider response to addressing today’s security needs for open source software.

 

Many of the organizations represented today are important contributors and consumers of open source, but of course are not all of the important contributors or consumers. We know that it’s important to hear from individual contributors as well as corporations, foundations and government entities. For our part, we’ll strive to make sure that happens.

GitHub

It’s a timely gathering in light of the security events we witnessed in the past year, with SolarWinds and Log4j providing key reminders of the importance of securing critical code. We’ve seen how just one or two lines of vulnerable code can have a dramatic impact on the health, safety, and trustworthiness of entire systems in the blink of an eye. And while this is not a new issue, as we saw with Heartbleed, the recent events further underscored two ways the tech industry can come together and help. First, there must be a collective industry and community effort to secure the software supply chain. Second, we need to better support open source maintainers to make it easier for them to secure their projects.

Google

Open source software code is available to the public, free for anyone to use, modify, or inspect. Because it is freely available, open source facilitates collaborative innovation and the development of new technologies to help solve shared problems. That’s why many aspects of critical infrastructure and national security systems incorporate it. But there’s no official resource allocation and few formal requirements or standards for maintaining the security of that critical code. In fact, most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, is done on an ad hoc, volunteer basis.

 

For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that “many eyes” were watching to detect and resolve problems. But in fact, while some projects do have many eyes on them, others have few or none at all.

[...]

During today’s meeting, we shared a series of proposals for how to do this:

  • Identifying critical projects
  • Establishing security, maintenance & testing baselines
  • Increasing public and private support

Open Source Security Foundation (OpenSSF)

During today’s meeting, we shared a set of key opportunities where, with sufficient commitments from everyone, we could make a substantial impact on the critical endeavors needed to protect and improve the security of our software supply chains. The open source ecosystem will need to work together to further cybersecurity research, training, analysis and remediation of defects found in critical open source software projects. These plans were met with positive feedback and a growing, collective commitment to take meaningful action. Following the recent log4j crisis, the time has never been more pressing for public and private collaboration to ensure that open source software components and the software supply chains they flow through demonstrate the highest cybersecurity integrity.

 

Through efforts such as our working groups on Best Practices, Identifying Critical Projects, Metrics and Scorecards, Project Sigstore, and more to be announced soon, the OpenSSF has already had an impact on many of the key areas discussed during today’s meeting. We are ready to further these efforts and welcome all new participants and resources that this conversation and further such conversations may bring.

Red Hat

Red Hat applauds the Administration for its comprehensive approach to software supply chain security, as embodied in the May 2021 President’s Executive Order on Cybersecurity. A continued, dedicated focus on its implementation, and its objective of openness and transparency, is essential.

 

The core tenets of the Cyber EO remain fundamental to improving the security posture of all software—both proprietary and open source, including assuring that vendors of all stripes maintain greater visibility into their software, take responsibility for its life cycle, and make security data publicly available.

 

A key theme of the meeting was the recognition that open source software has accelerated the pace of technological innovation, provides tremendous societal and economic benefits, and can contribute greatly to enhancing trust and cybersecurity.

Industrial cybersecurity firm Claroty published a blog post ahead of the meeting to highlight the risks to operational technology (OT) and critical infrastructure.

Related: Cybersecurity Leaders Scramble to Decipher SBOM Mandate

Related: Apache Foundation Calls Out Open-Source Leechers

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.