Following the Open Source Security Summit at the White House on Thursday, Google called for greater government involvement in identifying and securing critical open-source software projects. In a blog post published shortly after the summit, Kent Walker, president of global affairs and chief legal officer at Google and Alphabet, said collaboration between government and the private sector is needed for open source funding and governance.
We need a public-private partnership to identify a list of key open-source projects — depending on the project’s impact and importance — to help prioritize and allocate resources for the most basic security assessments and criticality, Walker wrote. Improve.
The blog post also calls for increased public and private investment to keep the open-source ecosystem safe, especially when software is used for infrastructure projects. In most cases, funding and review of such projects are carried out by the private sector. The White House had not responded to a request for comment by press time.
Walker wrote: Open source software code is open to the public, free for anyone to use, modify, or inspect… This is why it is used in many aspects of critical infrastructure and national security systems. But there is no official allocation of resources, nor is there any formal requirement or standard to maintain the security of this critical code. In fact, most efforts to maintain and enhance open source security, including fixing known vulnerabilities, are on an ad hoc, voluntary basis completed on the basis of.
The lack of funding and resources for open source development has long been brought up as a security concern, and it’s become a critical issue again after the discovery of a critical vulnerability in the Log4j Java library that quickly became the biggest cybersecurity breach in recent years. The Log4j library is also primarily developed and maintained by unpaid labor.
When an open-source project does receive funding, it usually comes from private sources, such as individual donations or sponsorships from tech companies. Google recently awarded $1 million to the Secure Open Source (SOS) Incentive Program, a pilot program being implemented by the Linux Foundation to financially compensate developers who work to improve the security of open-source projects.