Key Convener Releases Plan for Securing Open Source Software with White House
Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger and other relevant government officials received a plan that large companies have agreed to help fund and support, in the interest of securing open source software. which underpins its technology.
“The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together more than 90 executives from 37 companies and NSC government leaders. [the Office of the National Cyber Director], [the Cybersecurity and Infrastructure Security Agency], [the National Institute of Standards and Technology], [the Department of Energy]i [the Office of Management and Budget] to reach a consensus on the key actions that need to be taken to improve the resilience and security of open source software, “a press release said on Friday.
The Linux Foundation and the Open Source Security Foundation, which supports it, published a white paper outlining the full plan. A summary provided in the press release outlines the areas that require attention before, during, and after the software development process.
To improve the production of open source security, for example, the plan highlights the need to remove encryption languages that are not safe for memory. These languages, such as Cobol and C ++, may be faster and more efficient, but they are more prone to certain vulnerabilities.
The plan would also involve identifying and auditing certain libraries and deploying incident response equipment as needed, facilitated by tools such as a list of standardized software materials.
According to the statement, the plan “outlines approximately $ 150 million in funding over two years to make rapid progress on well-tested solutions … The 10 investment flows include concrete action measures for both more immediate improvements and to build foundations. for a safer future. “
“A subset of participating organizations have come together to collectively commit an initial tranche of funding for the implementation of the plan,” the statement added. “These companies are Amazon, Ericsson, Google, Intel, Microsoft and VMWare, which promise more than $ 30 million. As the plan evolves, more funding will be identified and work will begin as flows are agreed. individuals “.
Debates that have been simmering for years about who is responsible for what in a safe software development process and how to properly shape incentives, are coming to a boil.
In accordance with Executive Order 14028, the National Institute of Standards and Technology has published and updated a number of new guidance documents for agencies and other business clients to secure their software supply chains. The agency said there is more work to be done on the responsibilities of supply chain suppliers, such as those producing key information and communications technologies.
In a hearing before the House Science Committee on Wednesday, Brian Behlendorf, director general of the Open Source Security Foundation, said the importance of addressing the security of open source libraries serving the routing system. ‘Internet in the context of prioritizing where the community supports open source software. you should focus your attention.
“There have been some very exciting developments in recent years [in the performance of memory safe coding languages]”I think it’s time to really look at many key libraries and parts of the Internet architecture, such as software running the domain name system, as opportunities to, again, remove entire categories of software vulnerabilities “.