White House meeting discusses open source security

The recent case involving vulnerabilities in Log4j, an open-source Java library developed by the Apache Foundation and widely used by developers to track what happens to applications and services on the Internet, has sent a wake-up call to the importance of open source security and software supply chains.

Because of this, the US White House and tech giants have decided to discuss initiatives to rapidly improve the security of open source. In a letter of invitation to the meeting, Jake Sullivan, national security adviser, said that “open source software is a major national security concern”. For the US government, this category of software is ubiquitous in all sectors of the economy, and even by the US national security community. However, it presents unique security challenges due to the breadth of use and the number of volunteers responsible for the ongoing maintenance of open source, in general.

The agenda of the meeting focused on three topics: preventing security flaws and vulnerabilities; improving the process for identifying and fixing problems, and reducing the response time for distributing and implementing fixes.

Regarding the first topic, it was discussed how to facilitate the development of secure code by integrating security features into software creation tools and protecting the infrastructure used to store and distribute code, for example, with the use of code signing and stronger digital identities.

For the second topic, it was discussed how to prioritize the most important open-source projects and implement sustainable mechanisms to maintain them. The last topic addressed ways to make it easier to know what is in the software we buy and use.

In a press conference after the meeting, Sullivan highlighted the government’s efforts to address the security problem of open-source software. He spoke of the US president’s executive order issued last May in which he requested NIST (National Institute of Standards and Technology) to develop guidelines to identify practices to better secure the software supply chain with standards, procedures or criteria that ensure and attest to the integrity of open source software. NIST has published these guidelines in draft form.

Also after the meeting, Google disclosed in a blog post what it has been proposing for new collaborative models aimed at protecting open-source software. Other participants of the meeting also endorsed the idea of working together around the idea of more security for open-source, among them Open Source Security Foundation (OpenSSF), GitHub, RedHat and Linux Foudation.

Linux on the target

Incidentally, the class of malware targeting Linux – one of the main open source operating systems and widely used by Internet of Things (IoT) devices and cloud environments – hit a new record high in 2021, according to a report by Crowdstrike. The growth in attacks was 35% in 2021 compared to 2020.

XorDDoS, Mirai, and Mozi were the most prevalent Linux malware families in 2021. In particular, Mozi recorded a significant 10-fold increase in the number of samples in the wild last year compared to 2020. The primary goal of these malware families is to compromise vulnerable Internet-connected devices, amass them into botnets, and use them to carry out distributed denial-of-service (DDoS) attacks.

According to the study, the various Linux builds and distributions at the heart of cloud, mobile and IoT infrastructures are easy prey for cybercriminals. For example, by availing themselves of open ports or unpatched vulnerabilities, with Log4j, they can threaten the integrity of critical internet services. And more than 30 billion IoT devices are expected to be connected to the Internet by the end of 2025, creating a huge attack surface for massive botnet creation.

So that problems like Log4j don’t happen again

Brian Behlendorf, one of the leaders of the open source movement, spoke about the relevance of security for this class of software and how developers can prevent vulnerabilities like the one related to Log4j from being identified in such widely used distributions. Behlendorf was one of the original developers of Apache’s web servers and is working with the Linux Foundation and OpenSSF to find best practices and support them across the open source ecosystem. See more here.