Open-source software is among the most important types of software around, made available to practically everyone to use and tinker with across use cases. Thus, strengthening the security parameters behind such software is paramount, given not only the wide-sweeping utilization of them but also the types of companies and businesses that use them for specific purposes.
Amid a meeting held in Washington DC last week, some of the most notable tech giants took this concept very seriously. The meeting was held via the Open Source Security Foundation (OpenSSF) alongside the Linux Foundation, underscoring this very important in open source software security. Said tech giants went over the ways they are bolstering the security behind their open-source software used in supply chain purposes, which has become among the most important focal points for such companies in attendance, like Microsoft, Amazon, Google, VMware, Intel, Ericsson, and nearly 29 more.
Coined the Software Supply Chain Security Mobilization Plan, which consists of 10 points, took home a whopping $30 million in funding to help strengthen security in open-source software. It's designed to improve and enhance such software on various fronts, like vulnerability detection, source code production security, remediation of specific attacks, shorter patch times, and more. The initiative will include even a full SBOM, or software bill of materials, to help all varied tech companies in the industry witness the full breadth of software used in companies' tech stacks.
Related Article: Open-Source Software Now Considered A Potential National Security Threat After Log4j Crisis
The meeting itself is a follow-up to a White House sitdown in Jan. following the Log4Shell zero-day vulnerability, which hit Apache's Log4j library, putting a multitude of varied devices across the globe at risk. The Log4j library is a Java-based logging utility used in a ton of different devices and businesses, the main among them being Amazon's AWS, making the vulnerability a rather dire circumstance, one that may even still have unpatched issues.
In addition to raising capital and support for the stance of open source software security, the aforementioned initiative will likewise try to bolster the inherent knowledge surrounding such practices. While open-source software is definitely useful and necessary, more often than not, the security behind it is rather nonexistent. This is where the SSCSM plan seeks to remedy concerns through security education, eliminating non-memory safe programming languages, such as COBOL and C+, and annual meetups for third-party code reviews of over 200 of the most problematic open-source software offerings available.
Google's Cloud division announced the enactment of an open-source maintenance crew that would essentially add support to upstream maintainers with intelligent engineers to strengthen security across the board in the open-source community. The main drive behind this initiative is to find and stop such vulnerabilities as witnessed with Log4Shell before they occur, protecting the US from malware attacks and businesses from exploitative software.
Executive director of OpenSSF, Brian Behlendorf, explains, "What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it. The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action."