Major US tech companies interested in open source software such as Google and GitHub came together in a White House summit yesterday (13 January) to discuss ways to make the space more secure in light of recent vulnerabilities.
Creating new standards of open source software security, increased funding for developers in the space and public-private partnerships to secure the ecosystem were some of the ideas floated in the five-hour White House summit to secure the future of open source development.
Recent cybersecurity threats with global implications that have prompted the US government to hold the summit include the recent Log4Shell flaw and the cyberattacks orchestrated by the SolarWinds hackers early last year.
However, security threats stemming from open source software is hardly a new phenomenon. The Heartbeat bug revealed in 2014, which was a serious flaw in web encryption software OpenSSL, was one of the first major security threats in the space. It was believed as much as 17pc of secure web servers could be vulnerable.
“There will be another big deal at some point in the future that we’re going to need to respond to,” GitHub chief security officer Mike Hanley told Protocol, indicating that Log4Shell isn’t the last of the threats faced by open source software.
Google made a series of proposals at the White House summit, including a public-private partnership to identify a list of critical open source projects to help prioritise and allocate resources accordingly.
“We proposed setting up an organisation to serve as a marketplace for open source maintenance, matching volunteers from companies with the critical projects that most need support,” Kent Walker, president of global affairs and chief legal officer at Google, wrote in a blog post.
Google’s readiness to contribute resources to this effort was echoed by GitHub, which revealed plans to up its game in the open source software security space in 2022 with a host of updated tools for its 73m developers to manage vulnerabilities.
“Developers aren’t necessarily security experts—nor should they have to be—which is why we’re intently focused on making it easier for them to write more secure code in a frictionless way,” Hanley wrote in a blog post.
In addition to tools, he said that GitHub was ready to offer developers more opportunities in upskilling and training as well as finding more funding through programmes such as GitHub Security Lab and GitHub Sponsors.
Robert Blumofe, chief technology officer at US cybersecurity company Akamai and one the summit’s attendees, told Protocol that the very existence of the summit was an indication of the government’s recognition of the importance of open source software.
“It wouldn’t have been completely inconceivable for the government to start to take a very negative approach and say, ‘well, we can’t trust open source,’ or view open source as the scapegoat,” he added.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
The post Google, GitHub want to make open source software safer appeared first on Silicon Republic.