Businesses using open source software need to understand what components are in their applications and be prepared to act quickly when vulnerabilities are discovered, the Apache Software Foundation told a Thursday White House meeting of government officials and IT companies on improving the security of open source applications. In December, the White House had invited tech leaders to the meeting after the discovery of the Log4J vulnerabilities. According to Reuters, in the invitation letter, National Security Advisor Jake Sullivan noted that such open-source software is broadly used and maintained by volunteers and is a ” key national security concern.”
Stung by criticism after the discovery of several serious vulnerabilities in the Log4j2 utility, the Foundation said Log4j and the 2014 vulnerability in the OpenSSL crypto library, dubbed HeartBleed, are being used as examples of open source vulnerability risks. “But,” the Apache submission said, “it must be remembered that once these issues were reported to their respective projects they were dealt with quickly and efficiently.”
“What caused these, and other vulnerabilities, such as the Apache Struts issue in 2017, to be widely exploited was a failure of businesses to mitigate in a timely manner: either by updating to a new release or applying mitigations,” the submission added.
Open source supply chain issues can’t be solved by focusing exclusively on developers, it added. Even perfect releases, Apache said, can take years to be adopted and deployed by those using open source packages.
One of the most valuable things businesses that use open source can do is contribute back, Apache added. “Help fix bugs. Conduct security audits and feed back the results. Cash, while welcome and useful, isn’t sufficient.”
The submission was one of several made to the U.S. government at the meeting. It included representatives of the Biden administration, the Pentagon, the Department of Homeland Security and its Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST) and several government departments.
IT companies present included Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook (Meta), GitHub, Google, IBM, the Linux Foundation, the Open Source Security Foundation, Microsoft, Oracle, RedHat and VMware.
A White House statement after the meeting said participants “had a substantive and constructive discussion” on how to make a difference in the security of open-source software while also supporting the open-source community.
The discussion focused on three topics: Preventing security defects and vulnerabilities in code and open source packages, improving the process for finding defects and fixing them, and shortening the response time for distributing and implementing fixes.
Participants also discussed ways to accelerate and improve the use of Software Bills of Material, as required in the President’s Executive Order, to make it easier to know what is in the software Washington purchases.
Google proposed a public-private partnership to identify a list of critical open source projects — with criticality determined based on the influence and importance of a project — to help prioritize and allocate resources for the most essential security assessments and improvements.
“Longer term, we need new ways of identifying software that might pose a systemic risk — based on how it will be integrated into critical projects — so that we can anticipate the level of security required and provide appropriate resourcing,” Google said.
As for the Log4J vulnerability, Apache was defensive. “The recent Apache Log4 vulnerability was an unfortunate combination of independently designed features within the Java platform,” it said. “Disabling antiquated and unnecessary features, at least within a default configuration, would have prevented the vulnerability.”
The outcome of the meeting mirrors some of the conclusions drawn after the Heartbleed vulnerability, said Johannes Ullrich, research director of the SANS Institute. The Linux Foundation started an effort to catalog critical projects in need of support. That turned into the OpenSSF (Open Source Security Foundation). “I believe that the points raised during the meeting at the White House very much mirror what the OpenSSF is trying to accomplish,” he said in an email. “Some of the participants of the White House meeting are already a member/supporter of the OpenSSF. Additional funding and support, as well as outreach to identify critical components is needed. CISA’s effort to require SBOMs (Software Bill of Material) will also be an important component to identify which components are critical and need more support.”