Illustration by Alex Castro / The Verge
The White House will meet with leaders of major tech companies including Apple, Google, Amazon, Meta, IBM, and Microsoft on Thursday to discuss the security of open-source software. The issue has become urgent in the wake of the extremely serious Log4j vulnerability, discovered in December 2021.
The summit will also include the Apache Software Foundation — the owner and maintainer of the Log4j library — and Oracle, owner of the Java software platform on which the Log4j library runs. GitHub and the Linux Open Source Foundation will also be represented.
Executives from the tech companies will meet with representatives of various federal agencies, including the departments of Commerce, Defense, Energy, and Homeland Security. Other agencies include the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, and the National Science Foundation, according to Cyberscoop.
In the wake of the discovery and fallout from the Log4j vulnerability in December, White House national security advisor Jake Sullivan described open-source security as a “key national security concern.” The open-source security summit was called shortly after as a direct response.
In May 2021, well before the Log4j vulnerability was discovered, President Biden issued an executive order on improving the nation’s cybersecurity. Among other things, the order mandated that agencies of the federal government shore up their software supply chains by “ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software.”
Vulnerabilities in open-source software have led to some of the most serious security flaws in recent memory. The Heartbleed bug, discovered in 2014, affected an open-source encryption library called OpenSSL that was believed to be used in two out of three servers across the web. Despite its large-scale usage, the library was maintained largely by unpaid volunteers — as was the case with Log4j.
Open-source software that is critical to the functioning of highly profitable tech companies may still struggle to attract funding, a fact that is likely to be discussed at today’s summit. Just days ago the issue was brought to the fore again when an open-source developer intentionally corrupted two JavaScript libraries, potentially affecting thousands of projects. Reporting by Bleeping Computer uncovered previous posts in which the developer lamented “support[ing] Fortune 500s…with my free work.”
Writing on Github’s company blog Thursday morning, chief security officer Mike Hanley described a landscape in which open software was widely used but still poorly supported in terms of resources made available to developers.
“First, there must be a collective industry and community effort to secure the software supply chain,” Hanley wrote. “Second, we need to better support open source maintainers to make it easier for them to secure their projects.”