For years, developers of free and open source software have said all those who listen that their projects need better financial assistance and better supervision. Now, after a number of disastrous incidents involving open source code, the feds and Silicon Valley may finally be listening.
A Encounter At the White House on Thursday, executives from some of the biggest tech companies met with administration officials to discuss the need for better security in the open source community. The list of attendees included big names like Google, Facebook, Microsoft, Amazon, Oracle, and Apple, among others.
Unlike proprietary software, ohpen source software is free, publicly viewable, and can be used or modified by anyone. Due to the usefulness of open source tools, large companies often use them for development purposes. Corn, unfortunately, open source projects need to be monitored and funded to stay secure, and they don’t always get it. For years, open source developers have complained that their software needs better support from Big Tech and other institutional players, an issue that is finally getting mainstream attention.
It’s not hard to see why the White House called its meeting right now. Just a month or two ago a pernicious bug was found in the popular open-source Apache logging library log4j. The troubled program, which is used by just about everyone, caused widespread panic in the tech industry as companies rushed to fix systems and products that depended on the library to succeed. (Apache Software Foundation officials were also present at Thursday’s meeting.)
In short: there is clearly room for improvement and, thankfully, attendees at the recent White House meeting appear quite favorable to that. At the meeting, White House national security adviser Jake Sullivan apparently called open source software a “key national security issue.” Likewise, Google President of Global Affairs and Chief Legal Officer Kent Walker issued a statement on the company’s blog on Thursday, saying he wanted to see better support for the open source community.
“For too long, the software community has comforted itself with the assumption that open source software is generally secure because of its transparency and the assumption that ‘many eyes’ are watching to detect and fix problems” , Walker said. “But in fact, while some projects have a lot of eyes on them, others have few or none at all.”
In his statement, Walker further suggests increased public and private support for open source projects, the establishment of security and testing baselines, and the development of a rubric to identify “critical” projects – the type which is widely used (i.e., probably something like log4j).
Exactly what the government and other members of Big Tech have in mind for better open source security isn’t entirely clear at this point, but the fact that they’re talking about it seems like a good sign.