Making Open-Source Software Safer

Uploaded on 2022-01-25 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

Open-source software brings unique value, and has unique security challenges, because of its breadth of use and the number of volunteers responsible for its ongoing security maintenance.

In the wake of the Log4Shell critical vulnerability, technology industry executives have recently attended a White House cyber security meeting to discuss initiatives to improve open-source software security .

The meeting included officials from different federal agencies including Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security and the Department of Defense.
Private sector organisations participating in included Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Meta, GitHub, Google, IBM, the Linux Foundation, the Open Source Security Foundation, Microsoft, Oracle, RedHat, and VMWare.

Discussion focused on three topics:

  • The prevention of security defects and vulnerabilities in code and open source packages. The parties discussed ideas to make it easier for developers to write secure code by integrating security features into development tools and securing the infrastructure used to build, warehouse and distribute code. 
  • Improving the process for finding defects and fixing them. Participants discussed how to prioritise the most important open-source projects and put in place sustainable mechanisms to maintain them. 
  • Shortening of the response time for distributing and implementing fixes. The White House statement said participants discussed ways to accelerate and improve the use of Software Bills of Material (a list of components in a piece of software), as required in the President Biden's Executive Order, to make it easier to know what is in the software we purchase and use.

Following the meeting, Kent Walker, Google president Global Affairs & chief legal officer Google & Alphabet, said that the use of open-source software is foundational to digital infrastructure. “Given the importance of digital infrastructure in our lives, it’s time to start thinking of it in the same way we do our physical infrastructure. Open-source software is a connective tissue for much of the online world, it deserves the same focus and funding we give to our roads and bridges,” he wrote.

White House:    ZDNet:    I-HLS:      RCWireless:     Business Telegraph

You Might Also Read: 

Corporate Cyber Attacks Up 50% Last Year:

 

« SAAS Malware Used To Attack Crypto Wallets
Auto-Redirects: A Harmful Detour »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NICE Systems

NICE Systems

NICE Systems provide software solutions to ensure compliance, fight financial crime, and safeguard people and assets.

Identify Security Software

Identify Security Software

Our mission is to bring in a new age of autonomous human authentication in the security and identity space.

netfiles

netfiles

netfiles offers highly secure data rooms for sensitive business processes and secure data exchange.

Approachable Certification

Approachable Certification

Approachable Certification is a UKAS accredited certification body offering down-to-earth and competitively priced audits against ISO Management Systems standards.

Crypto Quantique

Crypto Quantique

Crypto Quantique's ground-breaking technology radically simplifies the process of generating a hardware root of trust in an IoT device.

Improsec

Improsec

Improsec is a fully independent Cyber Security advisory company - we provide knowledge, experience and both strategic and deep technical expertise to our clients.

Cyberstarts

Cyberstarts

Cyberstarts’ vision is to become the leading platform for amazing teams of entrepreneurs to solve the next big problems of the cybersecurity world.

GLESEC

GLESEC

GLESEC offer a complete range of Cyber Security services from Operations & Intelligence Services to Auditing & Compliance and Simulation and Training.

NetNordic Group

NetNordic Group

NetNordic is a Nordic system integrator focusing on solutions and services in the area of networking, smart data centers, cybersecurity, and unified communication.

Networks Unlimited

Networks Unlimited

Networks Unlimited is a leading value-added distributor in Africa, providing technology solutions with a focus on security, networking, enterprise systems management and cloud technologies.

NightDragon

NightDragon

NightDragon is a venture capital firm investing in innovative growth and late stage companies within the cybersecurity, safety, security, and privacy industry.

Dectar

Dectar

Dectar (formerly 4Securitas) is a cybersecurity company that provides solutions that predict, detect, defend and react against cybersecurity threats.

Gogolook

Gogolook

Gogolook is a leading TrustTech company. With "Build for Trust" as its core value, it aims to create an AI- and data-driven global anti-fraud network as well as Risk Management as a Service.

SecureAck

SecureAck

From our A-Op SaaS automation platform to Managed Automation-as-a-Service (MAaaS), SecureAck offer powerful security automation the way that best suits your organisation's needs.

Neeve

Neeve

Neeve is an edge cloud platform transforming smart buildings and spaces, making them more secure, smarter, and more sustainable.

Invary

Invary

Invary's expert Runtime Integrity solution, powered by NSA-licensed technology, verifies the security and confidentiality of your system.