Tech giants such as Amazon, Google and Microsoft have pledged millions of dollars to strengthen the security of open source software.
The pledge was made last week at a meeting in Washington DC where open source leaders, led by the Linux Foundation and the Open Source Software Security Foundation (OpenSSF), shared their plans to improve software supply chain security.
The industry meeting, attended by government leaders and more than 90 executives from 37 companies, follows on from the historic White House summit in January that was convened in the wake of the Log4Shell zero-day vulnerability in January. The flaw affected Apache’s Log4j library, a ubiquitous logging software, which compromised millions of devices worldwide. But according to a March study, nearly a third of cases remain unpatched.
At last week’s meeting, companies including Amazon, Ericsson, Google, Intel, Microsoft and VMware collectively pledged $30 million to fund a 10-point plan that aims to improve the security of open source software. The first of its kind initiative, designed by the Linux Foundation and OpenSSF, aims to secure open source code production, improve vulnerability detection and resolution, and reduce patch response time. This includes creating a software invoice, called an SBOM, that allows companies to gain insight into the software they use in their tech stack.
The so-called Software Supply Chain Security Mobilization Plan also calls for security education for all who work in the open source community, the elimination of non-memory-safe programming languages such as C+ and COBOL, and for annual third-party code reviews of 200 of the most critical open source. software components.
The ultimate goal is to find and fix vulnerabilities like Log4Shell faster in an effort to better protect the US from malicious cyber-attacks that exploit insecure software platforms and devices.
“What we’re doing here together is bringing together a set of ideas and principles of what broke out there and what we can do to fix it,” said Brian Behlendorf, executive director of OpenSSF. “The plan we’ve put together represents the 10 flags in the ground as a base to get started. We’d love to get more input and commitments that move our plan into action.”
Google Cloud also announced at the summit that it will be a open source maintenance crewa team of dedicated engineers who will work with upstream administrators to improve the security of various open source projects.
