Home > Media News >
Google has called for increasing government involvement in identifying and securing critical open-source software projects. In a blog post published shortly after the summit at White House, Kent Walker, president for global affairs and chief legal officer at Google and Alphabet, said that collaboration between government and the private sector was needed for open-source funding and management.
“We need a public-private partnership to identify a list of critical open source projects — with criticality determined based on the influence and importance of a project — to help prioritize and allocate resources for the most essential security assessments and improvements,” Walker wrote.
The blog post also called for an increase in public and private investment to keep the open-source ecosystem secure, particularly when the software is used in infrastructure projects. For the most part, funding and review of such projects are conducted by the private sector.
“Open source software code is available to the public, free for anyone to use, modify, or inspect .That’s why many aspects of critical infrastructure and national security systems incorporate it,” wrote Walker. “But there’s no official resource allocation and few formal requirements or standards for maintaining the security of that critical code. In fact, most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, is done on an ad hoc, volunteer basis.”
The shortage of funding and resources for open-source development has long been raised as a security concern and has re-emerged as a key issue after the discovery of a serious bug in the Log4j Java library, which quickly became the biggest cybersecurity vulnerability in recent years. The Log4j library was also developed and maintained largely by unpaid labour.
In a statement, Eric Brewer, VP of Infrastructure at Google, said:
“Though it was called a summit, today’s meeting was effectively a working session to develop concrete, pragmatic solutions to improve open source security. The participants broadly agreed on approaches to identify and secure critical projects, and in particular underwrite those efforts with real investment. It is especially crucial that those maintaining open-source projects are given the resources and support they need to ensure they are well maintained and are able to fix vulnerabilities quickly. We applaud the White House for their leadership on this important issue.”