A White House summit focused on open source security has emphasized the need for greater collaboration between tech giants, open source volunteers, and the US federal government.
Representatives of all three constituencies met virtually on Thursday (January 13) to discuss potential remedies to proliferating attacks against an open source supply chain on which applications of all kinds depend.
The world’s most valuable companies – such as Google and Meta – were represented at the event alongside non-profits, such as the Linux Foundation and Apache Software Foundation (ASF), which help unpaid volunteers maintain sprawling open source ecosystems.
‘Scale problem’
Amid the ongoing fallout from the landmark ‘Log4Shell’ bug, the discussion centered on how to more effectively prevent, find, and fix security vulnerabilities, as well as distribute and apply patches more rapidly, the White House said.
Solutions pondered, it continued, included integrating security features into development tools, protecting the codebase with code signing and stronger digital identities, and leveraging software bills of material to give organizations greater visibility of their open source use.
“The Log4J experience has shown organizations that they may not have a complete understanding of what software components power their business,” said Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre.
“That is a solvable problem, but it’s also a scale problem that starts with asking the question of just what software is powering the business, where it came from and how it is updated.
“After all, you can’t patch what you don’t know you have and without an appropriate process to review all software changes, it’s entirely possible that a new piece of software might just use a vulnerable component that you thought you’d completely patched.”
‘Unfunded burdens’
The ASF, published a position paper in advance of the summit that said upstream producers were not exclusively responsible for bolstering the software ecosystem, although it noted that the Apache Log4j vulnerability could have been prevented by “disabling antiquated and unnecessary features”.
In a press release the White House acknowledged the ubiquity of open source technologies in modern applications – “including software used by the national security community” – and its “unique security challenges, because of its breadth of use and the number of volunteers responsible for its ongoing security maintenance.”
In its position paper the ASF said “companies that build open source into their products rarely participate in their continued maintenance”, and urged the federal government to “avoid placing additional unfunded burdens on the few maintainers who are already doing the work”.
‘A good beginning’
Bolstering the nation’s cyber defenses has been a cornerstone of President Biden’s agenda since taking office in January 2021 in the wake of the SolarWinds supply chain attack, with an Executive Order signed in May paving the way for a raft of directives, initiatives, and policy revamps.
Red Hat, an IBM subsidiary that develops enterprise-grade open source solutions, applauded “the Administration for its comprehensive chain security”, and said his executive order could help in “assuring that vendors of all approach to software supply stripes maintain greater visibility into their software, take responsibility for its life cycle, and make security data publicly available”.
The ASF, which oversees the maintenance of 350-plus Apache projects and 237 million lines of code, endorsed the White House’s emphasis on collaboration and said the summit was “a good beginning that can help catalyze and direct a wider response to addressing today’s security needs for open source software.”
Also attending the summit alongside National Cyber Director Chris Inglis and officials from various federal agencies were Apple, Microsoft, IBM, VMWare, Oracle, Amazon, GitHub, the Open Source Security Foundation, Akamai, and Cloudflare.
The White House said all participants would “continue discussions to support these initiatives in the coming weeks, which are open to all interested public and private stakeholders”.
