White House calls summit on open source security following Log4j attacks

Open Source
(Image credit: Shutterstock)

Following the fallout from the recently disclosed Log4j vulnerability, the White House will meet with US tech giants to discuss the security of open source software.

In addition to Apple, Google, Amazon, Meta, IBM and Microsoft, the Apache Software Foundation which owns and maintains the Log4j library, Oracle, GitHub and the Linux Open Source Foundation will attend the meeting with the Biden administration as well.

Executives from all of the tech companies attending the meeting will also meet with representatives from a number of US government agencies including the Commerce Department, Defense Department, Energy Department and Homeland Security. However, other agencies such as the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology and the National Science Foundation will participate in the meeting too.

In an email to TechRadar Pro, chief security officer at GitHub, Mike Hanely explained just how important open source software is to the commercial software and online services we use everyday, saying:

“Open source software underpins the vast majority of the software we all use daily – just one or two lines of vulnerable code can have a global ripple effect across the billions of developers and services that rely on it. As the world’s largest developer platform, GitHub takes those risks seriously and understands its responsibility to support the millions of developers on our platform in securing open source. Addressing software supply chain security is a team sport. Through partnerships with governments, academia, developers, and other organizations, together we can make a significant impact on the future of software security, and today’s discussion is an important step in securing the world’s code together.”

A key national security concern

Back in December of last year, White House national security adviser Jake Sullivan sent a letter to the CEOs of US tech companies following the discovery of the Log4Shell vulnerability in Apache's popular java logging framework Log4j.

In his letter, Sullivan said that the security of open source software is a “key national security concern” as it is used broadly and maintained by volunteers. As such, vulnerabilities in open source software can affect loads of other products and projects as demonstrated by 2014's Heartbleed flaw in OpenSSL which at the time, was believed to be used in two out of every three servers.

More recently, a disgruntled developer took down thousands of open source projects by corrupting two widely used open source libraries on GitHub. The developer cited the fact that he no longer wants to create free code for commercial companies making millions as the reason for his actions.

We'll likely hear more from each of the individual companies that attended the meeting in the following days as well as from the White House on its plans to improve the security of open source projects and software.

We've also rounded up the best firewallbest endpoint protection software and best malware removal software

Via The Verge

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.