Type Here to Get Search Results !

White House meets software companies and open source groups on security

White House meets software companies and open source groups on security

Driven by widespread software vulnerabilities affecting organizations around the world, the U.S. government met with the open source community and major software companies at the White House on January 13 to find ways to support innovative software development communities while reducing the likelihood of future in common software components security breach.

The White House Software Security Summit brings together officials from various government agencies dealing with national security and technology issues, as well as representatives from major software companies — including Akamai, Amazon, Apple, GitHub, Google, Meta, Microsoft, and RedHat — and members of the open source software community , such as the Apache Software Foundation and the Linux Foundation.

The Biden administration said in a statement that the summit was aimed at finding “protection against security flaws and vulnerabilities in code and open source packages, improving the process for finding flaws and fixing them, and reducing response times for distributing and implementing fixes.” method.

At the heart of the discussion, however, is how innovative developments in the open source community can continue to thrive while improving work to create secure software and speed up patching in the face of vulnerabilities.

“Open source software brings unique value and presents unique security challenges because of its widespread use and the number of volunteers responsible for its ongoing security maintenance,” Administration said. “Participants engaged in substantive and constructive discussions on how to make an impact on the security of open source software while effectively engaging and supporting the open source community.”

The summit comes as companies are still working to find and patch a critical vulnerability in the Log4j logging framework for Java applications, which is widely used in enterprise applications. Over 80% of Java applications on the Maven Central Repository (a widely used package management repository) have Log4j as a dependency – meaning these Java applications and components are likely to be vulnerable. While the vulnerability has yet to lead to a major compromise, it could take years to fix because of its ubiquity, according to U.S. officials.

A long history of widespread vulnerabilities
Vulnerabilities in widely used software packages are not new. The 2014 Heartbleed vulnerability in OpenSSL and the 2018 SPECTER and Meltdown vulnerabilities demonstrate that there is a long tail of security issues found in ubiquitous software and firmware.

“The world runs on software, and software depends on open source, [which] means that a vulnerability in open source code could have a global ripple effect on the billions of developers and services that rely on it,” GitHub Chief Security Officer Mike Hanley, said in a statement at the summit“We’ve seen how a single line or two of vulnerable code can have a huge impact on the health, security and trustworthiness of an entire system in the blink of an eye.”

The summit aims to find ways for government and industry to collaborate to improve the security of open source code, such as integrating security features into developer tools and services, and ensuring the integrity of the platforms used to store and distribute packages. Initial efforts are likely to focus on ways to improve the security of popular and critical open source software projects and packages, and to accelerate the adoption of software bills of materials to allow developers and companies to track their dependencies.

“It all started with a concerted effort to increase visibility into the use of open source software,” said Boaz Gelbord, chief security officer at Akamai. “Government and private sector organizations must invest in tools that reveal reliance on open source technologies and, crucially, take action to mitigate and control risks to strengthen the security of the entire ecosystem.”

Executive Director Brian Behlendorf said these efforts will balance the innovation and standards-setting efforts of maintaining independent open source development with the implementation of secure development practices for projects and products that become part of the critical infrastructure that industry and governments rely on. Open Source Security Foundation (OpenSSF).

“The beginning of the supply chain is primitive and sometimes chaotic, but also often an incredibly innovative process of writing code in a team, which often leads to great software,” he said. “This is precious and should not be constrained by bureaucracy or requirements that have no value on upstream core developers.”

However, OpenSSF recognizes that more secure development processes need to be added at every step in the chain, from core developers to package managers to development teams that end up using software components or libraries.

“Now, in a world with millions of software projects and developers, it’s important to help expand what used to be informal, highly trusted processes on this chain into more rigorous, automatable tools and practices,” Behlendorf Say.

The industry has started investing in protecting open source software as well as their own software products. At a similar summit in August, Google and Microsoft pledged to spend billions over the next five years on software security and cybersecurity efforts. For example, Google is working on an invisible security initiative to integrate protections to benefit developers and businesses, and is also partnering with OpenSSF to release tools for developers. Akamai is committed to continuing to help the open source community find ways Detect software vulnerabilities and contain attacks, but admits the work has only just begun.

“While this executive order is a step in the right direction, more needs to be done to support the open source community to thrive in our changing threat landscape,” said Akamai’s Gelbord.

Last year, the Biden administration issued an executive order on cybersecurity that was widely praised for being more detailed than previous administrations. Additionally, the administration announced in October that it would create a Bureau of Cyberspace and Digital Policy within the U.S. State Department to lead international diplomacy on the issue.

Read More..

Tags

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

Top Post Ad

Below Post Ad