After the "Summit on open-source security" organized at the White House, Google has asked for a greater participation of the government in the identification and protection of critical open source software projects.
Through a Kent Walker publication, president of global affairs and chief legal officer of Google, who said in a blog post that closer collaboration is needed between the private sector and government to ensure more funding and leadership for open source software security.
“We need a public-private partnership to identify a list of critical open source projects, with criticality determined based on a project's influence and importance, to help prioritize and allocate resources for the most essential security assessments and enhancements. Walker wrote.
Longer term, that partnership must devise new ways to identify open source software that could pose systemic risk, based on how it integrates with critical projects, so that it can anticipate the level of security needed to ensure its safety. Walker added.
Google also wants government and industries to come together to set benchmark standards for the security, maintenance, provenance, and testing of open source software.
That's to ensure that the national infrastructure and other important systems can trust these projects. Walker said the standards should be developed through a collaborative process that emphasizes frequent updates, ongoing testing and verified integrity.
Lastly, Walkerr requested more funding from both the government and the private sector. He pointed out that many leading companies and organizations don't even know how much of their critical infrastructure is based on open source projects.
To remedy that, called for increased awareness as well as the creation of a market for open source maintenance that would unite volunteers from companies and organizations with critical projects that need support. Walker promised that Google is ready to support such an initiative.
The lack of resources for the maintenance and security of open source software is an issue that has been raised in the past, but it resurfaced this month following the discovery of a serious flaw in the Log4j Java library, one of the biggest cybersecurity vulnerabilities. detected in recent years. The Log4j library is open source, mostly developed and maintained by unpaid labor.
“Open source software code is available to the public, free for anyone to use, modify, or inspect,” Walker wrote. “That's why so many aspects of critical infrastructure and homeland security systems incorporate it. But there is no official allocation of resources and few formal requirements or standards to keep that critical code secure. In fact, most of the work to maintain and improve the security of open source, including fixing known vulnerabilities, is done on a voluntary, ad hoc basis.”
Most funding for open source software usually comes from donations individuals from supporters or from the sponsorship of technology companies that depend on him. For example, Google recently committed $100 million to the Linux Foundation's Secure Open Source bounty program, which aims to provide financial compensation to developers who improve the security of key projects.
For his part, heto Red Hat unit of IBM Corp., whose executives attended the White House National Security Council meeting, He said he supports the government's efforts to improve the security of all types of software.
“A key theme of the meeting was the recognition that open source software has accelerated the pace of technological innovation, provides enormous social and economic benefits, and can go a long way toward improving trust and cybersecurity,” Red Hat said. it's a statement
"We look forward to working with the Administration and a broad set of stakeholders on the next steps and will continue to focus on supporting our customers and strengthening the open source ecosystem."
Finally If you are interested in knowing more about it, you can check the details in the following link