Tech Giants Commit USD30M to Give Open-Source Software Security a Boost

Highlights –

• The first-of-its-kind initiative aims to secure open-source code production, enhance vulnerability detection and remediation, and minimize patching response time.
• The prime goal is to find and fix vulnerabilities like Log4Shell faster to better protect the U.S. from malicious cyberattacks that exploit insecure software platforms and devices.

During a meeting held in Washington, DC, recently, several major tech giants, including Amazon, Google, and Microsoft, committed to strengthening the security of open-source software. The Open-Source Security Foundation (OpenSSF) and the Linux Foundation, along with other open-source leaders, got together to underscore the importance of open-source software security and shared their plans to enhance the security of the software supply chain.

The gathering was attended by over 90 executives from 37 companies and government leaders representing the National Security Council (NSC), Cybersecurity and Infrastructure Security Agency (CISA), NIST, and others. The event was a follow-up to the historic White House summit in January this year which was called in the wake of the Log4Shell zero-day vulnerability. Apache’s Log4j library, a ubiquitous logging software, was badly affected by the flaw and put millions of devices at risk. But according to a study from March, almost a third of instances remain unpatched.

The last week’s summit saw tech giants such as Amazon, Ericsson, Google, Intel, Microsoft, and VMware pledge a collective USD 30 million to power a 10-point plan that aims to enhance the security of open-source software. The first-of-its-kind initiative, designed by the Linux Foundation and OpenSSF, seeks to secure open-source code production, enhance vulnerability detection and remediation, and minimize patching response time. This includes the development of a software bill of materials, known as an SBOM, giving firms visibility of the software used in their tech stack.

The much-touted Software Supply Chain Security Mobilization Plan also necessitates the need for security education for those working in the open-source community, the removal of non-memory safe programming languages like C and COBOL, and for annual third-party code reviews of 200 of the most critical open-source software components.

The prime goal is to find and fix vulnerabilities like Log4Shell faster to better protect the U.S. from malicious cyberattacks that exploit insecure software platforms and devices.

“What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it,” said Brian Behlendorf, executive director of OpenSSF. “The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action.”

Google announced on Thursday that it is introducing a new ‘Open-Source Maintenance Crew’ with a vision to improve the security of critical open-source projects. The maintenance crew includes a team of developers who look after securing upstream open-source projects, from tightening configurations to deploying updates.