Linux Foundation, Red Hat Join Supply Chain Security Summit
Last week the White House convened government and private sector stakeholders to discuss initiatives to improve the security of open source software and ways new collaboration could drive improvements.
The discussion focused on three topics: Preventing security defects and vulnerabilities in code and open source packages, improving the process for finding defects and fixing them and shortening the response time for distributing and implementing fixes.
The Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger and National Cyber Director Chris Inglis were joined by representatives from private sector organizations including Apple, Google, The Linux Foundation, the Open Source Security Foundation (OpenSSF), Microsoft, Red Hat and VMware, among others.
Linux Foundation Executive Director Jim Zemlin identified the OpenSSF as a key player in the initiative to address the broad set of open source software supply chain challenges.
Brian Behlendorf, executive director of the OpenSSF, pointed out the organization’s working groups on best practices, identifying critical projects, metrics and scorecards and project sigstore (a standard for signing, verifying and protecting software) were all aimed at addressing the issues raised at the summit.
“The open source ecosystem will need to work together to further cybersecurity research, training, analysis and remediation of defects found in critical open source software projects,” Behlendorf said in a statement. “Following the recent Log4j crisis, the time has never been more pressing for public and private collaboration to ensure that open source software components and the software supply chains they flow through demonstrate the highest cybersecurity integrity.”
Open Source Supply Chain Security is a Global Concern
Misconfigurations in software development environments and poor security hygiene in the supply chain can impact cloud infrastructure and offer opportunities for malicious actors to control unwitting victims’ software development processes.
The most recent example is the serious vulnerability in the popular Java logging package Log4j (CVE-2021-44228) that was recently disclosed. This flaw, and others in open source components, pose a severe risk to millions of consumer products and to enterprise software and web applications.
A key theme of the meeting was the recognition of the ways that open source software has accelerated the pace of technological innovation, offers societal and economic benefits, and can contribute to enhancing trust and cybersecurity.
On May 12, 2021 the Biden Administration released an executive order aimed at government agencies, vendors and developers, who will have to design their products with a greater focus on security.
“The core tenets of the cyber EO remain fundamental to improving the security posture of all software—both proprietary and open source, including assuring that vendors of all stripes maintain greater visibility into their software, take responsibility for its life cycle and make security data publicly available,” a company statement from Red Hat said. “A continued, dedicated focus on its implementation, and its objective of openness and transparency, is essential.”
Among the topics discussed by the summit’s participants were ideas to make it easier for developers to write secure code by integrating security features into development tools. The summit also touched on ways to secure the infrastructure used to build, warehouse and distribute code, including the use of techniques such as code signing and stronger digital identities.
“Safeguarding critical infrastructure includes securing the software that runs its banking, energy, defense, health care, and technology systems,” Linux Foundation Executive Director Jim Zemlin said in a statement. “When the security of a widely-used open source component or application is compromised, every company, every country and every community is impacted. This isn’t a problem unique to the U.S. government; it’s a global concern.”
In fact, the world’s major democratic governments have recently taken steps to coordinate some cybersecurity defenses, with the European Union and the United States pledging to get to work on an agreement facilitating access to electronic and digital evidence for the purpose of cooperation in criminal matters.
Wider Efforts Needed on Cybersecurity
The open source security summit follows a security summit the White House held in August 2021 attended by numerous high-profile private sector and education leaders who gathered to discuss the wide-ranging efforts needed to address cybersecurity threats.
The U.S. Department of Justice (DoJ) also recently announced the creation of a cybersecurity fellowship program that will train prosecutors and attorneys to handle emerging national cybersecurity threats.
