Google is recommending that the US government devote more resources to securing open-source software in light of the Apache Log4J 2 vulnerability, which has affected countless business applications and servers.
On Thursday, Google and other tech companies, including Apple and Amazon, attended a White House briefing about securing open-source software. The meeting was called to help the US avoid a repeat of the Log4J vulnerability, which can make hacking an affected software program trivial for a malicious computer hacker.
One reason the vulnerability is so bad is because the open-source Log4J 2 utility is used across the IT industry as a freely available tool. However, the same vital software is maintained merely through volunteers from the nonprofit Apache Software Foundation.
According to Google, the lack of maintenance and IT support surrounding open-source projects leaves the US vulnerable to exploitation.
“For too long, the software community has taken comfort in the assumption that open-source software is generally secure due to its transparency and the assumption that ‘many eyes’ were watching to detect and resolve problems,” Google’s Chief Legal Officer Kent Walker wrote in a blog post. “But in fact, while some projects do have many eyes on them, others have few or none at all,” he added.
Walker recommends three ways the US can better secure open-source software:
Identify critical open-source software used across the industry and devote more resources to protecting them.
Establish baseline standards for security, maintenance, and testing for the entire software industry.
Create an organization to act as a “marketplace for open-source maintenance, matching volunteers from companies with the critical projects that most need support.”
“Given the importance of digital infrastructure in our lives, it’s time to start thinking of it in the same way we do our physical infrastructure,” Walker added. “Open-source software is a connective tissue for much of the online world—it deserves the same focus and funding we give to our roads and bridges.”
Recommended by Our Editors
It’s unclear whether the Biden administration will act on the recommendations. But in a White House press briefing on Thursday, US National Security Advisor Jake Sullivan said the summit with the tech companies was “an incredibly constructive discussion” on the way the public and private sector can bolster the country’s IT security.
The Apache Software Foundation also attended the White House briefing. In a statement, the nonprofit said: “We believe today’s conversation is a good beginning that can help catalyze and direct a wider response to addressing today’s security needs for open-source software.”
Like What You’re Reading?
Sign up for Security Watch newsletter for our top privacy and security stories delivered right to your inbox.