Recent cybersecurity threats such as Log4Shell have sparked interest in public-private partnerships and other initiatives to secure open-source software.
Major US tech companies including Google and GitHub came together at a White House summit yesterday (13 January) to discuss ways to make the open-source software space more secure in light of recent vulnerabilities.
New standards for open-source software security, increased funding for developers in the space and public-private partnerships to secure the ecosystem were some of the ideas floated during the summit on the future of open-source development.
Recent cybersecurity threats with global implications prompted the US government to hold the summit, including the Log4Shell flaw that emerged last month.
However, security threats stemming from open-source software are not a new phenomenon. The Heartbleed bug revealed in 2014, which was a serious flaw in web encryption software OpenSSL, was one of the first major security threats in the space. It was believed at the time that as much as 17pc of secure web servers could be vulnerable.
“There will be another big deal at some point in the future that we’re going to need to respond to,” GitHub chief security officer Mike Hanley told Protocol following the White House summit, indicating that Log4Shell won’t be the last threat facing open-source software.
Google made a series of proposals at the summit, including a public-private partnership to identify a list of critical open-source projects to help prioritise and allocate resources accordingly.
“We proposed setting up an organisation to serve as a marketplace for open-source maintenance, matching volunteers from companies with the critical projects that most need support,” Kent Walker, president of global affairs and chief legal officer at Google, wrote in a blog post.
Google’s readiness to contribute resources to this effort was echoed by GitHub, which revealed plans to up its game in the open-source software security space in 2022 with a host of updated tools to help its 73m developers manage vulnerabilities.
“Developers aren’t necessarily security experts – nor should they have to be – which is why we’re intently focused on making it easier for them to write more secure code in a frictionless way,” Hanley wrote in a blog post.
In addition to tools, he said that GitHub was ready to offer developers more opportunities in upskilling and training as well as finding more funding through programmes such as GitHub Security Lab and GitHub Sponsors.
Robert Blumofe, chief technology officer at US cybersecurity company Akamai and one the summit’s attendees, told Protocol that the very existence of the summit was an indication of the US government’s recognition of the importance of open-source software.
“It wouldn’t have been completely inconceivable for the government to start to take a very negative approach and say, ‘Well, we can’t trust open source,’ or view open source as the scapegoat,” he added.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.