One of the things that’s become much more apparent in the wake of the Log4kShell vulnerability crisis is just how dependent a large number of applications are on open source code that is maintained by a small number of developers. Although Log4j is widely used by developers of Java applications, the small number of contributors working on making sure that code is secure is typical of most open source projects with arguably the exception of Linux itself.
That issue is now at the top of the security agenda as organizations continue to review their software supply chains in the wake of a series of high-profile breaches. In fact, White House national security adviser Jake Sullivan has sent a letter to major software companies and developers inviting them to discuss initiatives to improve open-source software security starting with a one-day discussion this month to be hosted by Anne Neuberger, the deputy national security advisor for cyber and emerging technology.
In the letter, Sullivan specifically noted that while open-source software has accelerated the pace of innovation much of it is maintained by volunteers. This is now a key national security concern, he wrote.
Open source vulnerabilities were becoming a major source of concern even prior to the discovery of the Log4jShell vulnerabilities. The Open Source Security Foundation (OpenSSF), an arm of the Linux Foundation, raised $10 million to help maintainers embrace best practices to better protect open source projects from malicious code that might be injected into software by bad actors pretending to be just another contributor to the project. Google has pledged $1 million to help open source developers adhere to guidelines established by the National Institute of Standards and Technology (NIST) arm of the U.S. Department of Commerce in response to the recent executive order on cybersecurity issued by the Biden administration. Administered as a pilot program by the Linux Foundation, that effort is part of a larger $10 billion commitment that Google previously made to open source security.
At the core of the open source software security crisis is a debate over who should actually be responsible for security. The contributors to these projects note that they have already contributed many hours to building the project. It’s up to the organizations that take advantage of that free software to make sure it’s secured when they deploy it.
Regardless of who secures that software, it’s clear far too many organizations are taking advantage of open source software without making any contributions to open source projects. The White House is making it clear that needs to change. Organizations that hire developers are in the name of the greater good going to be asked by the Federal government to make a more substantive contribution to securing open source software. The U.S. is now signaling it intends to track who is contributing to open source projects that wind up being used by Federal agencies. The implication is that IT vendors that rely on insecure open source software will soon one way or another ultimately be held accountable for making sure that software is secure.