Driven by vulnerabilities in widespread software affecting organizations worldwide, the US government met with the open source community and major software firms on Jan. 13 at the White House to find ways to support the innovative software development community, while at the same time reducing the likelihood of future security flaws in common software components.
The White House Software Security Summit brought together officials from the various government agencies that deal with national security and technology with representatives from major software companies — including Akamai, Amazon, Apple, GitHub, Google, Meta, Microsoft, and RedHat — as well as members of the open source software community, such as the Apache Software Foundation and the Linux Foundation.
The summit aimed to find ways of “preventing security defects and vulnerabilities in code and open source packages, improving the process for finding defects and fixing them, and shortening the response time for distributing and implementing fixes,” the Biden administration said in a statement.
At the heart of the discussion, however, is how the innovative development of open source communities can continue to flourish while improving efforts to create secure software and speed the patching in the face of vulnerabilities.
“Open source software brings unique value, and has unique security challenges, because of its breadth of use and the number of volunteers responsible for its ongoing security maintenance,” the administration stated. “Participants had a substantive and constructive discussion on how to make a difference in the security of open source software, while effectively engaging with and supporting, the open source community.”
The summit took place as companies continue to struggle to find and patch a significant vulnerability in the Log4j logging framework for Java applications, which is widely used in enterprise applications. More than 80% of the Java applications on the Maven Central Repository, a widely used package management repository, had Log4j as a dependency — meaning those Java applications and components are likely vulnerable. While the vulnerability has not yet led to a major compromise, according to US officials, the issue will likely take years to remediate because of its ubiquity.
A Long History of Widespread Vulns
Vulnerability in widespread software packages are not new. The 2014 Heartbleed vulnerability in OpenSSL and the 2018 SPECTRE and Meltdown vulnerabilities demonstrated that security issues found in ubiquitous software and firmware have long tails.
“The world runs on software, which in turn relies on open source, [which] means that vulnerabilities in open source code can have a global ripple effect across the billions of developers and services that rely on it,” Mike Hanley, chief security officer at GitHub, said in a statement on the summit. “We’ve seen how just one or two lines of vulnerable code can have a dramatic impact on the health, safety, and trustworthiness of entire systems in the blink of an eye.”
The summit aimed to find ways for government and industry to work together to improve the security of open source code, such as integrating security features into developer tools and services as well as ensuring the integrity of the platforms used to store and distribute packages. Initial efforts will likely focus on ways to improve the security of popular and critical open source software projects and packages and speed the adoption of software bills of materials to allow developers and companies to track their dependencies.
“This all begins with a common effort to increase visibility into the use of open source software,” says Boaz Gelbord, chief security officer with Akamai. “Government and private sector organizations must invest in tools that reveal the reliance on open source technologies and, crucially, take action to mitigate and contain risks to strengthen the security of the ecosystem at large.”
The efforts will be a balance between maintaining the innovative and standards-setting efforts of independent open source development and enforcing secure development practices on projects and products that become part of the critical infrastructure on which industry and government rely, says Brian Behlendorf, executive director of the Open Source Security Foundation (OpenSSF).
“At the beginning of the supply chain is the raw, sometimes messy, but also often incredibly innovative processes of writing code in a group that so often leads to great software,” he says. “That’s precious and shouldn’t be shackled by bureaucracy or requirements that create no value for those upstream core devs.”
However, the OpenSSF recognizes that more secure development processes need to be added to each step in the chain from core developer to package manager to the development teams that eventually use the software component or library.
“What’s important now, in a world of millions of software projects and developers, is to help scale up what used to be informal, high-trust processes along this chain into more rigorous, automatable tools and practices,” Behlendorf says.
The industry has already started investing in securing open source software, as well as their own software products. At a similar summit in August, Google and Microsoft pledged to spend billions on software security and cybersecurity efforts in the next five years. Google, for example, has committed to an invisible security initiative to integrate protections so that developers and businesses reap the benefits, and also has worked with the OpenSSF to release tools for developers. Akamai committed to continuing to help the open source community find ways to detect vulnerabilities in software and contain attacks, but recognized that the work is only starting.
“While this executive order is a move in the right direction, more needs to be done to support the open source community to thrive within our ever-evolving threat landscape,” Akamai’s Gelbord says.
Last year, the Biden administration released an executive order on cybersecurity that was widely praised for being more detailed than past administrations. In addition, the administration announced in October that it would create the Bureau of Cyberspace and Digital Policy within the US Department of State to lead international diplomacy on the issue.