Big Tech wants to make Open Source Software more Secure

The major technology companies of the United States – names such as Google, Microsoft, Apple, and Facebook – came together at an important White House Summit over the weekend to discuss the ways to make the open source software space more secure in light of recent disastrous vulnerabilities.

The new standards for open source software security – including important funding for developers in the space and public and private partnerships – to secure the ecosystem were some of the ideas floating around during the summit on the future of open source development.

Recent cybersecurity threats with global implications prompted the United States Government to hold the summit -- the Log4Shell flaw was on the table that emerged last month.

At the same time, security threats stemming from open source software are not a new phenomenon. They have been an issue for a good few years. A good example of this is the plugin system for WordPress.

The infamous Heartbleed bug revealed in 2014 – which was a serious flaw in web encryption software OpenSSL – was one of the first major security threats in the space. This means it effected both the public and private sectors, along with anyone who used the internet in general. It was believed at the time that as much as twenty percent of secure web servers could be vulnerable.

There will be another big deal at some point in the future that we’re going to need to respond to.

GitHub chief security officer Mike Hanley told Protocol following the White House summit.

Google made a series of proposals at the summit. This is including a public and private sector partnership to identify a list of critical open-source projects to help prioritize and allocate resources accordingly.

We proposed setting up an organisation to serve as a marketplace for open-source maintenance, matching volunteers from companies with the critical projects that most need support.

Kent Walker, president of global affairs and chief legal officer at Google, wrote in a blog post.

I'm honestly surprised by Google’s readiness to contribute resources to this effort. Microsoft, including the Staff of GitHub, was echoing these concerns also. They all revealed plans to up its game in the open source software security space in 2022 with a host of updated tools to help its over seventy million developers manage all types of different vulnerabilities.

Developers aren’t necessarily security experts – nor should they have to be – which is why we’re intently focused on making it easier for them to write more secure code in a frictionless way.

Hanley wrote in a blog post.

In addition to offering the tools, he said that GitHub was ready to offer developers more opportunities in upskilling and training as well as finding more funding through programs such as GitHub Security Lab and GitHub Sponsors.

Robert Blumofe, chief technology officer at the United States cybersecurity company Akamai and one the summit’s attendees, told Protocol that the very existence of the summit was an indication of the US government’s recognition of the importance of open source software.

It wouldn’t have been completely inconceivable for the government to start to take a very negative approach and say, ‘Well, we can’t trust open source,’ or view open source as the scapegoat.

He also added.