As the world grapples with the recent log4j open source software vulnerability that has put millions of devices at risk of hacking, Google has called for a public-private partnership to identify a list of critical open source projects and find new ways of identifying software that might pose a systemic risk.
Following a White House summit on open-source security on Thursday, Google stated that open-source funding and management collaboration between government and the private sector was required for open-source funding and management.
Kent Walker, President for global affairs and Chief Legal Officer at Google and Alphabet, said “We need a public-private partnership to identify a list of critical open source projects — with criticality determined based on the influence and importance of a project — to help prioritise and allocate resources for the most essential security assessments and improvements,”
The source code of open source software is freely available for anyone to use, modify, or inspect.
Since it is publicly available free of cost, open source encourages collaborative innovation and the development of new technologies to help solve common challenges.
Google said “That’s why many aspects of critical infrastructure and national security systems incorporate it. But there’s no official resource allocation and few formal requirements or standards for maintaining the security of that critical code,”
In fact, the majority of work to maintain and improve open source security, including fixing known vulnerabilities, is done on an ad hoc, volunteer basis.
Google noted “Longer term, we need new ways of identifying software that might pose a systemic risk — based on how it will be integrated into critical projects — so that we can anticipate the level of security required and provide appropriate resourcing,”
For organizations all throughout the world, the ‘Log4j’ vulnerabilities present a complex and high-risk situation.
This open-source component is widely used across several vendor’s software and services.
Microsoft stated “Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities,”
Thousands of efforts are being made to exploit a second vulnerability involving the Java logging system ‘Apache log4j2’.
More than 35,000 Java packages which accounts over 8% of the Maven Central repository (the most important Java package repository), have been compromised by the recently discovered vulnerabilities, according to Google, with enormous ramifications across the software industry.
Following the widespread ‘Log4Shell’ vulnerability in Log4j version 2 branch, the Apache Software Foundation has released various fixes.