Google calls for new government action to protect open-source software projects
Following a summit on open-source security hosted at the White House Thursday, Google has called for increasing government involvement in identifying and securing critical open-source software projects.
In a blog post published shortly after the summit, Kent Walker, president for global affairs and chief legal officer at Google and Alphabet, said that collaboration between government and the private sector was needed for open-source funding and management.
“We need a public-private partnership to identify a list of critical open source projects — with criticality determined based on the influence and importance of a project — to help prioritize and allocate resources for the most essential security assessments and improvements,” Walker wrote.
The blog post also called for an increase in public and private investment to keep the open-source ecosystem secure, particularly when the software is used in infrastructure projects. For the most part, funding and review of such projects are conducted by the private sector.
The White House had not responded to a request for comment by time of publication.
“Open source software code is available to the public, free for anyone to use, modify, or inspect … That’s why many aspects of critical infrastructure and national security systems incorporate it,” wrote Walker. “But there’s no official resource allocation and few formal requirements or standards for maintaining the security of that critical code. In fact, most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, is done on an ad hoc, volunteer basis.”
The shortage of funding and resources for open-source development has long been raised as a security concern and has re-emerged as a key issue after the discovery of a serious bug in the Log4j Java library, which quickly became the biggest cybersecurity vulnerability in recent years. The Log4j library was also developed and maintained largely by unpaid labor.
When open-source projects do receive funding, it generally comes from private sources like individual donations or sponsorship from tech companies. Google recently contributed $1 million to the Secure Open Source (SOS) rewards program, a pilot scheme being run by the Linux Foundation to financially compensate developers working to improve the security of open-source projects.