Google and IBM see public-private partnerships as the solution to identifying and securing vulnerable open source software. “Open source software should receive the same funding as bridges and roads”, said Kent Walker, Chief Legal Officer at Google.
IBM and Google presented the solution during a consultation between various tech giants and the US government at the White House. The meeting was called in response to the recent Log4j vulnerability.
Several major tech companies — including Apache, Google, Apple, Amazon, IBM, Microsoft, Meta, Linux and Oracle — consulted with various US government departments and the Cybersecurity and Infrastructure Security Agency (CISA).
Following the meeting, Google and IBM stated that it was time for the public government and private companies to join forces to make open source software more secure. According to Google’s parent company, Alphabet, open-source software is the glue for the online world. Therefore, open-source software should receive the same funding as bridges and roads.
Lists of vulnerable open-source software
Google, IBM and Akamai are formulating official proposals on better ensuring the security of open source software in the future. According to Kent Walker (Chief Legal Officer at Google), a public-private partnership should draw up lists of vulnerable open source projects. The lists should be determined based on the influence and importance that the projects have. With the help of these lists, companies could more easily invest in the most critical security research and implementations.
According to Google, another solution could be a marketplace for the maintenance of open source software. This marketplace would link volunteers to companies that need support for the most important open source projects. Google intends to provide the necessary manpower.
Investing in open standards
IBM notes that investing in open standards is an effective method for securing open source software. According to the tech giant, both governments and the tech industry itself must stimulate the adoption of open security standards.
Furthermore, Big Blue underscores the importance of the lists mentioned before. The organization says public and private parties must ensure that the most critical open source solutions and applications are identified and overviewed. Other measures include further stimulating skills and training in open-source security and rewarding developers who discover important vulnerabilities.
The meeting at the White House was informative, not decisive. Although initiatives are yet to be launched, Log4j has undoubtedly been a wake-up call for the US government and the tech industry. All parties are convinced that quick action is needed.