Tech companies want to collaborate more to secure open source software
Several major tech companies, including Google and IBM, are calling on the tech industry to better secure open source software projects. They do this after a meeting with the American government about the troubles with log4j.
Among other things, Google is calling for a public list that includes open source projects that are considered ‘critical’, the company writes in a blog post. How important those projects are should be based on their ‘influence and importance to a project’. Google also suggests new ways to discover software that pose a “systematic risk” to large projects.
The company also advocates new standards for open source projects around security, maintenance and testing. Those should be handled by foundations like the OpenSSF and supported by other companies as well. Google also wants an independent organization to “serve as a marketplace for open source support.” That organization can then match volunteer developers to projects that may need development assistance.
Other tech companies have proposed similar initiatives, although they are not always concrete. For example, the Apache Foundation says that collaboration between companies that use open source software will always be necessary, but does not mention any concrete plans. In response, Akamai joins Google’s proposals to categorize key software, and IBM tells ZDnet that government and industry should work more closely together to improve security development of open source software.
The companies held talks with the White House, which included the Department of Defense and the Cybersecurity and Infrastructure Security Agency, or CISA. The government agencies wanted a discussion about securing open source projects and what the contribution of industry can be. This happened in particular after the log4j vulnerability in Java, which was discovered in December last year.
It is not the first time that tech companies offer their support for improving societal cybersecurity problems. For example, Google and Microsoft made 25 billion euros available last year to support projects, to help governments and companies with better policy and to secure software in the supply chain.