Hoping to foster improved security of open-source software, the White House hosted a meeting last week with some of the largest public and private users and maintainers of open-source software. Widely used open-source software “brings unique value, and has unique security challenges, because of its breadth of use and the number of volunteers responsible for its ongoing security maintenance,” the White House said.
The meeting was organized in December, shortly after a dangerous vulnerability in the Java-based logging utility Log4j emerged. That easy-to-exploit flaw has the potential to compromise hundreds of millions of machines globally. The FBI, the NSA and the Cybersecurity and Infrastructure Agency (CISA) quickly branded it as “a threat to organizations and governments everywhere.” In a letter inviting tech leaders to the meeting, National Security Advisor Jake Sullivan said that “open-source software is a key national security concern.”
The meeting included attendees from a wide range of government departments and agencies, including the Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, National Cyber Director Chris Inglis, and officials from the Office of the National Cyber Director, CISA, and the National Institute of Standards and Technology (NIST). Private sector participants included executives and top-level representatives from Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook (Meta), GitHub, Google, IBM, the Linux Foundation, OpenSSF, Microsoft, Oracle and RedHat.
According to the White House, the meeting agenda included three topics:
- Preventing security defects and vulnerabilities in open-source code and packages
- Improving the process for finding open-source software defects and remediating them
- Shortening the response time for distributing and implementing fixes
To address the first topic, participants discussed making it easier for developers to write secure code by integrating features such as code signing and stronger digital identities into development tools and infrastructure used to build, warehouse, and distribute code.
In terms of improving the process for finding defects and remediating them, the participants discussed prioritizing and maintaining a catalog of the most critical projects. Regarding shortening response and remediation times, the meeting attends talked about ways to accelerate and improve the use of software bills of material (SBOMs) to make it easier to know what components go into software.
“Incredibly constructive discussion”
In a press briefing following the meeting, Sullivan called the gathering “an incredibly constructive discussion about ways that the public sector and the private sector can work effectively together to ensure that public sector systems are more robust and resilient and private sector systems are more robust and resilient.”
He also pointed to the administration’s efforts to tackle the problem of open-source software security. The President’s executive order (EO) issued in May directed NIST to develop guidance identifying practices that enhance the security of the software supply chain. The EO required NIST’s guidance to include standards, procedures, or criteria that ensure and attest “to the integrity and provenance of open-source software used within any portion of a product.” NIST published these guidelines in draft form in October.
The EO also required the Commerce Department’s National Telecommunications and Information Administration (NTIA) to publish minimum elements for an SBOM. NTIA published a document in July containing those elements.
Google’s new open-source security proposals
Industry participants came out of the White House meeting expressing their support for further government collaboration. After the meeting concluded, Kent Walker, president global affairs and chief legal officer, Google and Alphabet, shared a series of proposals for new collaborative models to secure open source software.
The first proposal is to establish a public-private partnership to identify and maintain a list of critical open-source projects, with criticality determined based on the influence and importance of a project. The second proposal calls for the government and industry “to come together to establish baseline standards for security, maintenance, provenance, and testing,” emphasizing frequent updates, continuous testing, and verified integrity.
The third proposal is to set up “an organization to serve as a marketplace for open-source maintenance, matching volunteers from companies with the critical projects that most need support.” Google says it has already contributed resources and stands ready to contribute more resources to these efforts.
The tech sector applauds government leadership
The other private sector participants also endorsed the idea of working together with the government to make open-source software more secure. “When the security of a widely used open-source component or application is compromised, every company, every country, and every community is impacted,” Linux Foundation Executive Director Jim Zemlin said. “We applaud the U.S. government’s leadership in facilitating a stronger focus on open-source software security and look forward to collaborating with the global ecosystem to make progress. In particular, the OpenSSF is our key initiative to address the broad set of open-source software supply chain challenges, and it was very heartening to hear our work identified and endorsed by other participants in the meeting as a basis for further collaboration.”
Brian Behlendorf, executive director of the OpenSSF, agrees. “The open-source ecosystem will need to work together to further cybersecurity research, training, analysis, and remediation of defects found in critical open-source software projects,” he said. “[The plans discussed at the White House meeting] were met with positive feedback and a growing, collective commitment to take meaningful action. Following the recent Log4j crisis, the time has never been more pressing for public and private collaboration to ensure that open-source software components and the software supply chains they flow through demonstrate the highest cybersecurity integrity.”
Mike Hanley, CSO of GitHub, said that addressing “software supply chain security is a team sport. Through partnerships with governments, academia, developers, and other organizations, together we can make a significant impact on the future of software security, and today’s discussion is an important step in securing the world’s code together.”
Akamai said “that government and industry should prioritize investments in tools and technologies that can help increase visibility of use of open source, optimally through automated tools.” It also said it “supports strong private-public ownership and vulnerability management for designated critical open-source libraries.”
The Apache Foundation called the White House meeting “a good beginning that can help catalyze and direct a wider response to addressing today’s security needs for open source software.” Red Hat said that “it looks forward to working with the Administration and a broad set of stakeholders on any next steps and will continue our focus on supporting our customers and strengthening the open-source ecosystem.”
Copyright © 2022 IDG Communications, Inc.