White House calls summit on open source security following Log4j attacks
In addition to Apple, Google, Amazon, Meta, IBM and Microsoft, the Apache Software Foundation which owns and maintains the Log4j library, Oracle, GitHub and the Linux Open Source Foundation will attend the meeting with the Biden administration as well.
Executives from all of the tech companies attending the meeting will also meet with representatives from a number of US government agencies including the Commerce Department, Defense Department, Energy Department and Homeland Security. However, other agencies such as the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology and the National Science Foundation will participate in the meeting too.
In an email to TechRadar Pro, chief security officer at GitHub, Mike Hanely explained just how important open source software is to the commercial software and online services we use everyday, saying:
“Open source software underpins the vast majority of the software we all use daily – just one or two lines of vulnerable code can have a global ripple effect across the billions of developers and services that rely on it. As the world’s largest developer platform, GitHub takes those risks seriously and understands its responsibility to support the millions of developers on our platform in securing open source. Addressing software supply chain security is a team sport. Through partnerships with governments, academia, developers, and other organizations, together we can make a significant impact on the future of software security, and today’s discussion is an important step in securing the world’s code together.”
A key national security concern
Back in December of last year, White House national security adviser Jake Sullivan sent a letter to the CEOs of US tech companies following the discovery of the Log4Shell vulnerability in Apache’s popular java logging framework Log4j.
In his letter, Sullivan said that the security of open source software is a “key national security concern” as it is used broadly and maintained by volunteers. As such, vulnerabilities in open source software can affect loads of other products and projects as demonstrated by 2014’s Heartbleed flaw in OpenSSL which at the time, was believed to be used in two out of every three servers.
More recently, a disgruntled developer took down thousands of open source projects by corrupting two widely used open source libraries on GitHub. The developer cited the fact that he no longer wants to create free code for commercial companies making millions as the reason for his actions.
We’ll likely hear more from each of the individual companies that attended the meeting in the following days as well as from the White House on its plans to improve the security of open source projects and software.
Via The Verge
Go to Source