Security experts and developers have been warning for years about the need for better security and stronger support for the open source projects that form the scaffolding of the Internet and are key components of an untold number of commercial applications and tools, an issue that has been brought into sharp focus by the Log4J vulnerabilities and the attendant fallout. The problem has attracted the attention of the Biden administration, and in a meeting today at the White House, key technology leaders from Google, GitHub, Apple, and other organizations discussed possible solutions, including a proposal to set up an independent clearing house to offer support and match volunteers with open source projects that need help.
The White House meeting, which included members of the National Security Council, the National Cyber Director Chris Inglis, and other top officials, brought together security and policy leaders from major technology and infrastructure companies in an effort to find ways to shore up the security of the open source ecosystem. Virtually all proprietary commercial software includes open source components or libraries, and as the Log4J issue demonstrated, a flaw in one widely used open source tool can have cascading effects many layers deep. Log4J is used in an untold number of applications and tools and the consequences of the group of remote code execution vulnerabilities in it that have surfaced in the last month likely will be felt for many years to come.
A number of technology vendors have committed resources to helping open source developers and maintainers assess and improve the security of their code, through efforts such as the Open Source Technology Improvement Fund, Google’s OSS-Fuzz service for open source project fuzzing, and the Internet Bug Bounty, among others. Those initiatives can make a major difference for open source projects, as perhaps the biggest hurdle for most open source developers is a lack of time and resources to identify and fix security issues. Money can help, but simply connecting with the right people can go a long way, especially for lone developers or small teams that maintain a given project.
During the White House summit, Google officials proposed addressing this problem through the establishment of an organization to help match volunteers from participating companies with open source projects that need resources.
“We’ve seen how just one or two lines of vulnerable code can have a dramatic impact on the health, safety, and trustworthiness of entire systems."
“Many leading companies and organizations don’t recognize how many parts of their critical infrastructure depend on open source. That’s why it’s essential that we see more public and private investment in keeping that ecosystem healthy and secure. In the discussion today, we proposed setting up an organization to serve as a marketplace for open source maintenance, matching volunteers from companies with the critical projects that most need support. Google stands ready to contribute resources to this effort,” Kent Walker, president of global affairs and chief legal officer at Google, said.
“Given the importance of digital infrastructure in our lives, it’s time to start thinking of it in the same way we do our physical infrastructure. Open source software is a connective tissue for much of the online world — it deserves the same focus and funding we give to our roads and bridges.”
Another core part of the problem is identifying the open source projects and tools that are important and widely used enough that they can be considered critical to the nation’s security. The Open Source Security Foundation in 2020 developed a method to score the criticality of a project, based on a number of parameters, such as the project’s age, the number of contributors, number of organizations those contributors belong to, and other factors. But that’s just one method, and what’s deemed critical by some may not qualify for others. Three months ago, Log4J may not have been deemed a critical project, but few would argue against that designation now.
“We’ve seen how just one or two lines of vulnerable code can have a dramatic impact on the health, safety, and trustworthiness of entire systems in the blink of an eye. And while this is not a new issue, as we saw with Heartbleed, the recent events further underscored two ways the tech industry can come together and help. First, there must be a collective industry and community effort to secure the software supply chain. Second, we need to better support open source maintainers to make it easier for them to secure their projects,” said Mike Hanley, CSO of GitHub, who attended the White House meeting.
Like Google, GitHub has committed financial and other resources to improving the security of the open source ecosystem, such as offering free security training for developers and launching a program that allows companies to sponsor open source projects that they use. The company also plans to launch a program later this year that will allow security researchers to contact maintainers privately to disclose security issues.