There’s no question that open source security and supply chain security has become top of mind issues in the aftermath of the Apache Log4j security problem quartet and the SolarWinds security fiasco. But so important that the White House would call a meeting with open source foundations and company officials? Yes, it’s that important.
The meeting was led by White House cybersecurity leader Anne Neuberger. Executives and officials from organizations like the Apache Software Foundation (ASF) and the Linux Foundation and executives from Apple, Amazon, Google, IBM, Microsoft, and Oracle. Government agencies such as the Department of Defense and the Cybersecurity and Infrastructure Security Agency (CISA) were also represented.
We Must Work Together
The topic of the day was that since open source software has become essential to all of technology, and thus our national security, we must all work together to secure it.
Of course, in Linux and open source circles, we already know this. After the meeting, Linux Foundation Executive Director Jim Zemlin said, “Safeguarding critical infrastructure includes securing the software that runs its banking, energy, defense, healthcare, and technology systems. When the security of a widely-used open source component or application is compromised, every company, every country, and every community is impacted. This isn’t a problem unique to the US government; it’s a global concern. We applaud the US government’s leadership in facilitating a stronger focus on open source software security and look forward to collaborating with the global ecosystem to make progress.”
Still, as David Nalley, president of the ASF, noted, “There’s a lot to mull over after the discussions but I think it was a good round of discussions about open source software security and supply chain. While there are no silver bullets for the complex problem set, it’s great to see so much interest and investment in improving the open source ecosystem.”
Look at Software Like Physical Infrastructure
To do this, Kent Walker, Google and Alphabet’s president of global affairs, said it’s time to think of software security in the same way we do our physical infrastructure. “Open source software is a connective tissue for much of the online world — it deserves the same focus and funding we give to our roads and bridges.”
Walker added in a blog post, “For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that “many eyes” were watching to detect and resolve problems. But in fact, while some projects do have many eyes on them, others have few or none at all.” This, as we know to our chagrin, is all too true.
Google, of course, like all the major open source players, is well aware of this problem. The company has supported the Linux Foundation‘s Open Source Security Foundation (OpenSSF) that manages open source security priorities and fixes vulnerabilities.
Google feels that more needs to be done. So, it’s proposing three ways to improve open source security. These are:
- Identifying critical projects
We need a public-private partnership to identify a list of critical open source projects — with criticality determined based on the influence and importance of a project — to help prioritize and allocate resources for the most essential security assessments and improvements.
- Establishing security, maintenance & testing baselines
Growing reliance on open source means that it’s time for industry and government to come together to establish baseline standards for security, maintenance, provenance, and testing — to ensure national infrastructure and other important systems can rely on open source projects. These standards should be developed through a collaborative process, with an emphasis on frequent updates, continuous testing, and verified integrity.
- Increasing public and private support
Many leading companies and organizations don’t recognize how many parts of their critical infrastructure depend on open source. That’s why it’s essential that we see more public and private investment in keeping that ecosystem healthy and secure. In the discussion today, we proposed setting up an organization to serve as a marketplace for open source maintenance, matching volunteers from companies with the critical projects that most need support. Google stands ready to contribute resources to this effort.
Some of this work is already on its way. OpenSSF Executive Director Brian Behlendorf said, “During today’s meeting, we shared a set of key opportunities where, with sufficient commitments from everyone, we could make a substantial impact on the critical endeavors needed to protect and improve the security of our software supply chains. … Through efforts such as our working groups on Best Practices, Identifying Critical Projects, Metrics and Scorecards, Project Sigstore, and more to be announced soon, OpenSSF has already had an impact on many of the key areas discussed during today’s meeting. We are ready to further these efforts and welcome all new participants and resources.”
IBM’s General Manager of Systems Strategy and Development Jamie Thomas agreed. Thomas believes the White House meeting “made clear that government and industry can work together to improve security practices for open source.”
Specifically, Thomas continued, “We can start by encouraging widespread adoption of open and sensible security standards, identifying critical open source assets that should meet the most rigorous security requirements, and promoting a collaborative national effort to expand skills training and education in open source security and reward developers who make important strides in the field.
Red Hat issued a statement that added, “The core tenets … remain fundamental to improving the security posture of all software — both proprietary and open source, including assuring that vendors of all stripes maintain greater visibility into their software, take responsibility for its life cycle, and make security data publicly available.”
Meanwhile, the ASF added, “The ASF produces software for the public good. We are committed to working with the larger community, including industry and government consumers of open source software, to find ways to improve security while adhering to The Apache Way.” That means, they “believe the path forward will require upstream collaboration by the companies and organizations that consume and ship open source software. There’s no single ‘silver bullet’ to get there, and it will take all of our organizations working together to improve the open source supply chain.”
Security Is Top of Mind
Indeed it will. But, at least now everyone is paying more attention. As Donald Fischer, Tidelift‘s co-founder and CEO, told me in an e-mail, “It’s exciting, humbling, and exasperating at the same time to see the sudden rush of interest in open source software supply chain security from the most senior levels of government and industry. Regardless of headline-grabbing vulnerabilities like Log4Shell, it’s been clear for years now that our society needs new ways to align the interests of open source creators and the organizations and individuals that depend on them. But at all times we should be mindful that the solution can’t just be demanding more from independent open source maintainers, or worse, pushing them aside — it must include partnering with them to support the incredible work they do.”
Still, Fischer concluded, “It’s fantastic that open source supply chain security is finally starting to get the attention it deserves. But it’s also essential that independent open source creators are represented in the conversation, not just giant technology companies, and industry trade associations. Going forward, individual maintainers need to be ‘in the room where it happens.'”
This is true. While it’s great that Fortune 500 companies and the government are supporting improving open source security, to make this happen will require everything from the biggest businesses to single developers working together. It can be done. But it will take all of us and it won’t be easy.
Linux Foundation and Red Hat are sponsors of The New Stack.
Featured image via Pixabay