Tech giants including Amazon, Google and Microsoft have pledged millions of dollars to bolster the security of open source software.
The pledge was made during a meeting in Washington, DC last week, which saw open source leaders, headed up by the Linux Foundation and the Open Source Software Security Foundation (OpenSSF), share their plans for enhancing the security of the software supply chain.
The industry gathering, which was attended by government leaders and more than 90 executives from 37 companies, is a follow-up to the historic White House summit in January convened in the wake of the Log4Shell zero-day vulnerability in January. The flaw affected Apache’s Log4j library, a ubiquitous logging software, which put millions of devices worldwide at risk. But according to a study from March, almost a third of instances remain unpatched.
During last week’s meeting, companies including Amazon, Ericsson, Google, Intel, Microsoft and VMware pledged a collective $30 million to fund a 10-point plan that aims to boost the security of open source software. Designed by the Linux Foundation and OpenSSF, the first-of-its-kind initiative aims to secure the production of open source code, improve vulnerability detection and remediation, and shorten patching response time. This will include the creation of a software bill of materials, known as an SBOM, allowing companies to gain visibility of the software that they are using in their tech stack.
The so-called Software Supply Chain Security Mobilization Plan also calls for security education for everyone working in the open source community, the elimination of non-memory safe programming languages like C++ and COBOL, and for annual third-party code reviews of 200 of the most critical open source software components.
The ultimate goal is to find and fix vulnerabilities like Log4Shell faster in an effort to better protect the U.S. from malicious cyberattacks that exploit insecure software platforms and devices.
“What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it,” said Brian Behlendorf, executive director of OpenSSF. “The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action.”
Google Cloud also announced during the summit that it would launch an open source maintenance crew, a team of dedicated engineers that will work with upstream maintainers in order to boost the security of various open source projects.