Deputy National Security Adviser on Cyber and Emerging Technologies Ann Neuberger and other relevant government officials received a plan that large companies agreed to help with funding and support to provide the open source software that underpins their technology.
The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together over 90 executives from 37 companies and government leaders from the NSC, [the Office of the National Cyber Director], [the Cybersecurity and Infrastructure Security Agency], [the National Institute of Standards and Technology], [the Department of Energy]and [the Office of Management and Budget] to reach a consensus on key actions to be taken to improve the resilience and security of open source software, “a press release said Friday.
The Linux Foundation and the Open Source Security Foundation it supports have released a White paper describing the full plan. A summary provided in the press release identifies areas that require attention before, during and after the software development process.
To improve the production of open source security, for example, the plan emphasizes the need to eliminate encryption languages that are not memory-safe. Languages such as Cobol and C ++ can be faster and more efficient, but are more vulnerable to certain vulnerabilities.
The plan will also include the identification and audit of specific libraries and the deployment of incident response teams, if necessary, facilitated by tools such as a standardized software list of materials.
According to the announcement, the plan “outlines approximately $ 150 million in funding over two years for the rapid advancement of well-tested solutions”. future. “
“A subset of participating organizations came together to collectively promise an initial tranche of funding to implement the plan,” the statement added. “These companies are Amazon, Ericsson, Google, Intel, Microsoft and VMWare, which promise more than $ 30 million. As the plan develops, additional funding will be identified and work will begin once the individual flows are agreed. “
The debate that has been raging for years about who is responsible for what in the process of developing security software and how to design incentives is in full swing.
Pursuant to Executive Order 14028, the National Institute of Standards and Technology has released and updated a series of new guides for agencies and other corporate clients to secure their software supply chains. The agency said more work on the responsibilities of supply chain suppliers – such as those producing basic information and communication technologies – is on the agenda.
At a hearing before the House Science Committee on Wednesday, Brian Bellendorf, general manager of the Open Source Security Foundation, testified to the importance of addressing the security of open source libraries serving the Internet routing system in the context of prioritizing where the community supports open source software needs to focus.
“There has been some really exciting progress over the last few years [in the performance of memory safe coding languages]”Belendorf said. “I think it’s time to really consider looking at many fundamental libraries and parts of the Internet architecture, such as the software that manages the domain name system, as opportunities to once again eliminate whole categories of software vulnerabilities.