Driven by widespread software vulnerabilities affecting organizations worldwide, the U.S. government met with the open source community and major software companies on January 13 in the White House to find ways to support the innovative software development community, while reducing the likelihood of future security flaws in common software components.
The White House Software Security Summit brought together officials from the various government agencies involved in national security and technology with representatives from major software companies – including Akamai, Amazon, Apple, GitHub, Google, Meta, Microsoft and RedHat – as well as members of open source software community, such as the Apache Software Foundation and the Linux Foundation.
The summit aimed to find ways to “prevent security flaws and vulnerabilities in code and open source packages, improve the process of finding and fixing defects, and shorten the response time for distribution and implementation of fixes,” the Biden administration said in a statement.
At the heart of the discussion, however, is how the innovative development of open source communities can continue to flourish while improving efforts to create secure software and accelerate the patch in the face of vulnerabilities.
“Open source software provides unique value and has unique security challenges due to its wide application and the number of volunteers responsible for its ongoing security maintenance,” the administration said. “Participants had a substantial and constructive discussion on how to make a difference in the security of open source software while effectively engaging in and supporting the open source community.”
The summit took place as companies continue to struggle to find and patch a significant vulnerability in the Log4j logging framework for Java applications, which is widely used in enterprise applications. More than 80% of the Java applications on the Maven Central Repository, a widely used parcel handling repository, had Log4j as a dependency – meaning that these Java applications and components are likely to be vulnerable. Although the vulnerability has not yet led to a major compromise, according to U.S. officials, the problem is likely to take years to remedy due to its ubiquitous nature.
A long history of widespread vulns
Vulnerability in widespread software packages is not new. The 2014 Heartbleed vulnerabilities in OpenSSL and the 2018 SPECTER and Meltdown vulnerabilities showed that vulnerabilities found in ubiquitous software and firmware have long tails.
“The world runs on software, which in turn relies on open source, [which] “Open source vulnerabilities can have a global ripple effect across the billions of developers and services that depend on it,” said Mike Hanley, head of security at GitHub, in a statement at the summit. one or two lines of vulnerable code can have a dramatic impact on the health, security and credibility of entire systems in an instant. “
The summit aimed to find ways in which government and industry can work together to improve open source security, such as integrating security features into developer tools and services, as well as ensuring the integrity of the platforms used to store and distribute packages. . The initial effort is likely to focus on ways to improve the security of popular and critical open source software projects and packages and accelerate the adoption of software BOMs to enable developers and companies to track their dependencies.
“It all starts with a concerted effort to increase the visibility of the use of open source software,” said Boaz Gelbord, head of security at Akamai. “Government and private sector organizations need to invest in tools that detect dependence on open source technologies and, crucial, take steps to mitigate and mitigate risks to strengthen the security of the ecosystem as a whole.”
The effort will be a balance between maintaining the innovative and standard-setting efforts for independent open source development and enforcing secure development practices on projects and products that become part of the critical infrastructure on which industry and government depend, says Brian Behlendorf, CEO of the Open Source Security Foundation (OpenSSF).
“At the beginning of the supply chain, they are raw, sometimes messy, but also often incredibly innovative processes of writing code in a group, which so often leads to great software,” he says. “It is valuable and should not be chained by bureaucracy or requirements that create no value for these upstream core developers.”
However, OpenSSF recognizes that more secure development processes need to be added to each step of the chain from core developer to package manager to the development teams that ultimately use the software component or library.
“What’s important now, in a world of millions of software projects and developers, is to help upscale what used to be high-confidence informal processes along this chain to more rigorous, automated tools and approaches,” says Behlendorf.
The industry has already begun investing in securing open source software as well as their own software products. At a similar summit in August, Google and Microsoft promised to spend billions on software security and cyber security efforts over the next five years. For example, Google has committed to an invisible security initiative to integrate protections so that developers and companies reap the benefits, and has also worked with OpenSSF to release tools to developers. Akamai pledged to continue helping the open source community find ways to detect software vulnerabilities and attacks, but acknowledged that work is underway.
“While this announcement is a step in the right direction, more needs to be done to support the open source community to thrive within our ever-evolving threat landscape,” says Akamai’s Gelbord.
Last year, the Biden administration issued an executive order on cybersecurity, which was widely praised for being more detailed than previous administrations. In addition, the administration announced in October that it would set up the Bureau of Cyberspace and Digital Policy in the U.S. State Department to lead international diplomacy on the issue.