Google says open source software should be more secure • The Register

In conjunction with a White House meeting on Thursday where tech companies discussed the security of open source software, Google proposed three initiatives to bolster national cybersecurity.

The meeting was hosted last month by US National Security Advisor Jake Sullivan, amid the rush to patch Log4j vulnerabilities that kept far too many busy over the holidays. Sullivan asked the invited companies – a group including Amazon, Apple, Google, IBM, Microsoft and Oracle – to share ideas on how the security of open source projects could be improved.

Google’s chief legal officer, Kent Walker, in a blog post said that just as government and industry have worked to shore up shoddy legacy systems and software, the Log4j repair process – still ongoing – has demonstrated that open source software needs the same attention as critical infrastructure.

“For too long, the software community has comforted itself with the assumption that open source software is generally secure because of its transparency and the assumption that ‘many eyes’ are watching to detect and fix problems” , Walker said. “But in fact, while some projects have a lot of eyes on them, others have few or none at all.”

Emphasizing Google various efforts to be part of the solution, he outlined several possible public-private partnerships that were mentioned during the meeting:

  • To identify a list of critical open source projects
  • Establish baseline standards for safety, maintenance, provenance and testing
  • Set up a maintenance market place, connect volunteers with needy projects

All laudable ideas, if not particularly radical, unexpected or unprecedented.

Knowing which open source projects have the widest reach is certainly important for understanding where bugs would have the greatest impact. Google’s software engineers have already thought of define “criticality” as part of the software, so the work is in progress. In fact, there is software to generate a criticality score for other software.

With regard to basic standards, the Open Source Security Foundation is already on the case, and we already have frames like the designed by Google Supply chain levels for software artifacts. So that too is a work in progress.

Walker’s description of an organization for connecting projects with corporate-employed volunteers sounds a lot like one of many open-source sustainability efforts, just without the specific monetary component of GitHub Sponsors or Patreon.

“Many leading companies and organizations don’t recognize how many parts of their critical infrastructure depend on open source,” Walker said. “That’s why it’s critical that we see more public and private investment to keep this ecosystem healthy and secure.”

That’s what everyone keeps saying, but often without paying.

power in a union

Mike Hanley, Head of Security at GitHub, also had something to say on the matter: “First and foremost, there needs to be a collective industry and community effort to secure the software supply chain. “, he said in a blog post. “Second, we need to better support open source maintainers to make it easier for them to secure their projects.”

Katie Moussouris, founder of Luta Security, Recount The register in a phone interview that Google, as part of what it described as one percent security, is doing a lot of good work on the security of its own products and on security related to the software ecosystem. But this work, she says, is purely voluntary.

“If the US government is concerned about securing open source, then it needs to get more serious about supporting the open source community that is not voluntary, the charitable work of 1% security like Google and Microsoft and other elite, major service providers who were invited to the White House today,” she explained.

Moussouris suggested we need to adopt a model that is more like universal basic income for the developer community, in part because it’s hard to identify which projects are critical and which aren’t.

“The open source community definitely needs some form of universal basic income, because there are projects that start as hobbies by an individual, and predicting popularity becomes a very difficult thing,” he said. she stated.

These projects often exist without much attention until there is a security breach and people realize there is only one maintainer, she said. While the government should appreciate contributions from big companies like Google and its peers, “it can’t rely on volunteer charity, labor and donations from mega-corporate 1% security if it’s going to fix this problem.” , she said.

When asked if a software license imposing financial support obligations on heavy users of open source projects might help, Moussouris was unsure that licensing was the ideal approach to making open source more sustainable and more sure. But she expressed support for shifting income from the haves to the have-nots as a general goal.

“If the idea is to direct more of those who profit from open source, and more of those profits, to those who build open source – like maintainers, and those who do it for free, or with very little financial support – if the goal is to give back to maintainers more of those benefits derived from open source, I’m all for it,” she said.

Moussouris added that getting money for open source maintainers can be tricky. It is often not easy to identify who to pay or how to pay them. “You can’t just send a government check to one individual, and that’s true around the world,” she said.

Another issue not mentioned among Google’s proposals is the need for specific security skills in the bug-fixing process. Moussouris pointed out the lack of root cause analysis with Log4j that allowed several variants to be developed that circumvented the initial fix. The Log4j developers, she said, did not understand the extent of the vulnerability that had been reported.

“That’s the problem that won’t be solved by throwing more developers at [the problem] — they are different professional roles,” she explained. “So that’s a gap in what everyone is talking about here in terms of support. » ®