At the White House Open Source Summit, the Chocolate Factory floated a few ideas to make that happen
In conjunction with a White House meeting on Thursday at which technology companies discussed the security of open source software, Google proposed three initiatives to strengthen national cybersecurity. The meeting was arranged last month by US national security adviser Jake Sullivan, amid the scramble to fix the Log4j vulnerabilities that occupied far too many people over the holidays. Sullivan asked invited firms – a group that included Amazon, Apple, Google, IBM, Microsoft, and Oracle – to share ideas on how the security of open source projects might be improved. Google chief legal officer Kent Walker in a blog post said that just as the government and industry have worked to shore up shoddy legacy systems and software, the Log4j repair process – still ongoing – has demonstrated that open source software needs the same attention as critical infrastructure. „For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that ‚many eyes‘ were watching to detect and resolve problems,“ said Walker. „But in fact, while some projects do have many eyes on them, others have few or none at all.“ Pointing out Google’s various efforts to be part of the solution, he outlined several possible public-private partnerships that were mentioned at the meeting: Laudable ideas all, if not particularly radical, unexpected, or novel. Knowing which open source projects have the widest reach is certainly important to understanding where bugs would have the widest impact. Google software engineers have already been thinking about defining „criticality“ in the context of software, so that work is underway. In fact, there’s software to generate a criticality score for other software. As for baseline standards, the Open Source Security Foundation is already on the case, and we already have frameworks like the Google-devised Supply chain Levels for Software Artifacts.
