Government and private sector software security experts met with White House officials on Jan. 13 to discuss ways to boost the security of the open-source software that helps to run everything from consumer gadgets to massive industrial systems.
According to a White House statement describing the meeting, “participants had a substantive and constructive discussion on making a difference in the security of open-source software, while effectively engaging with and supporting, the open-source community.”
The discussion was centered on three main topics – preventing security defects and vulnerabilities in code and open source packages, improving the process for finding defects and fixing them, and shortening the response time for distributing and implementing fixes.
During the meeting, participants discussed prioritizing the most important open-source projects and putting in place sustainable mechanisms to maintain them. They also discussed ways to accelerate and improve the use of the Software Bills of Material to make it easier to know what is contained in software that the government purchases and uses.
And they also spoke of ideas to ease how developers write secure code by integrating security features into development tools and securing the infrastructure built.
This meeting follows the discovery of a massive security flaw in the popular open-source Java-logging library Apache Log4j. If left unfixed, cyber attackers could exploit the flaw, posing risks for huge swaths of the internet.
Currently, no Federal agencies had been compromised because of the bug, and no major cyberattacks had been reported because of it in the U.S. According to Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, most attempts to exploit the bug have focused on low-level crypto mining or drawing devices into botnets.
Participants at the White House meeting included National Cyber Director Chris Inglis, and officials from CISA, Amazon, Apache Software Foundation, Apple, IBM, Facebook/Meta, and Google.
All participants – private sector and government – plan to continue these discussions to support related initiatives in the coming weeks, the White House said.