n November 2021, a zero-day vulnerability in a ubiquitous piece of open-source code stunned the technology industry and set off an urgent effort to help secure the largely volunteer open-source ecosystem. Nearly four years later, that effort has made important progress but has also been hobbled by multiple setbacks.
The Log4Shell vulnerability in a popular Java logging tool convinced the Biden administration to focus on open-source security and prompted major tech companies including Amazon, Google and Microsoft to pledge tens of millions of dollars to security improvements. Much of that work occurred through the Linux Foundation’s Open Source Security Foundation (OpenSSF), which created numerous tools to help developers analyze and address their code’s risks.
But what began with a White House summit and an ambitious industry-wide “mobilization plan” soon encountered challenges. A tantalizing new technology known as generative AI distracted the tech giants funding the work, and a political transition in the U.S. extinguished government efforts to keep the industry on track.
Overcoming those obstacles and doubling down on open-source security is essential, experts told Cybersecurity Dive, given how pervasive the code is in everything from critical infrastructure to everyday home computing.
“We need to make sure that the momentum that we built doesn’t get lost,” said Jack Cable, a former senior technical adviser at the Cybersecurity and Infrastructure Security Agency (CISA) who worked on open-source security.
Open-source security progress
Since early 2022, an infusion of funding and attention has led to important open-source security improvements.
One of the most significant developments was the campaign to improve the security of open-source package repositories. The repository “is the modern distribution point for the majority of software that’s consumed,” said David Nalley, director of developer experience at Amazon Web Services, which has helped fund improvements in these vital platforms. Christopher Robinson, OpenSSF’s chief security architect, said the goal of this work was to ensure that “all projects within those ecosystems will inherit” strong security practices.
Amazon also helped the developers behind a TLS encryption library for the memory-safe programming language Rust adopt a cryptographic algorithm that met federal standards, making it easier for organizations that need to meet those standards — including companies in regulated industries — to use memory-safe code.
Source: Cybersecurity News