According to Google, the US government should devote more resources to secure open-source software after the Apache Log4J 2 vulnerability, which affected many business applications and servers.
Google alongside other tech companies such as Apple and Amazon, attended a White House briefing about securing open-source software. The meeting aimed to help the US to avoid a repeat of the Log4J vulnerability.
One reason the vulnerability was so bad was because the open-source Log4J 2 utility is used across the IT industry as a free tool. What is more, the same vital software is maintained merely through volunteers from the nonprofit Apache Software Foundation. Google says that the lack of maintenance and IT support surrounding open-source projects leaves the US vulnerable. Google’s Chief Legal Officer Kent Walker wrote in a blog post:
“For too long, the software community has taken comfort in the assumption that open-source software is generally secure due to its transparency and the assumption that ‘many eyes’ were watching to detect and resolve problems. But in fact, while some projects do have many eyes on them, others have few or none at all.”
Walker noted that there are three ways the US can better secure open-source software:
- Identify critical open-source software used across the industry and devote more resources to protect them;
- Establish baseline standards for security, maintenance, and testing;
- Create an organization to act as a “marketplace for open-source maintenance, matching volunteers from companies with the critical projects that most need support.”
He also added:
“Given the importance of digital infrastructure in our lives, it’s time to start thinking of it in the same way we do our physical infrastructure. Open-source software is a connective tissue for much of the online world—it deserves the same focus and funding we give to our roads and bridges.”
In addition, the US National Security Advisor Jake Sullivan said the summit with the tech companies was “an incredibly constructive discussion” on the way the public and private sector can bolster the country’s IT security.