Log4j Lesson: Open Source Software Improvements Need Federal Government Help
While much of this software is written by employees of tech companies whose products rely on open source code, the developer community is decentralized, often poorly resourced, and generally more focused on adding new functionality than on securing existing functionality. But amid urgent pressure to fix vulnerable devices, open-source security specialists say recent advances will make future disasters less likely, especially if that work is spurred on by the federal government.
“There’s a lot more control over the software now,” said David Wheeler, director of open source supply chain security at the Linux Foundation. “We have a lot of people who decided it was important enough to invest real time, money and people.”
Cyber professionals have been calling for this kind of increased attention for years, especially after a massive encryption vulnerability called Heartbleed discovered in 2014 was attributed to flaws in the open-source encryption library OpenSSL. At the time, security advocates complained that big tech companies had done too little to support the handful of developers who maintained OpenSSL, mostly in their spare time.
Such complaints resurfaced after the discovery this month of the Log4j flaw.
Yet over the past year, several high-profile efforts to tighten the security of open source code have picked up steam, mostly under the auspices of the Linux Foundation’s Open Source Security Foundation. The group has published a guide to help software developers disclose vulnerabilities and coordinate with organizations that depend on their code, a scorecard that can automatically assess a software project’s security posture, a framework for build in-code anti-tamper protections and a service that issues security certificates to help developers prove that their software updates are genuine.
“It’s about setting an expectation…because, what does it mean to be safe?” Brian Behlendorf, CEO of the Open Source Security Foundation, spoke about these initiatives.
Some tech giants have stepped in to help. Google has pledged $100 million to groups focused on improving open source security. “We seek, through foundations and financial support, to find ways to help [developers] do the right thing,” said Eric Brewer, vice president of infrastructure at Google and founder of the Open Source Security Foundation.
But security experts say the fragmented and underfunded open source community also needs major help from the federal government to find and fix flaws in neglected pockets of widely used code.
“It’s amazing how basic critical software is actually not that complicated [and] does not require large development teams,” Behlendorf said. Grants of $50,000 or $80,000 to pay a few people for a few months “could make a substantial difference,” he said.
Allan Friedman, senior adviser and strategist at CISA, agreed that government has an important role to play, especially given its ability to see the big picture of how and where open source code underpins critical systems.
The federal government has “a very holistic view of software,” Friedman said. “We can help prioritize projects that are critical to the national mission and also where we may not have enough existing resources.”
Proponents of the open-source model have long touted its security advantages over proprietary, closed-source software, saying the ability to publicly share code and collaborate on fixes makes it easier to fix vulnerabilities that might otherwise not be known. discoveries. Open source software has become ubiquitous on the Internet and in a host of computer systems, including major products like Apache’s web server and the Linux family of operating systems that also forms the basis of Android.
But in practice, Log4j and other similarly ubiquitous open source libraries often receive little dedicated review and maintenance, allowing flaws to remain hidden for long periods of time.
And while some foundations receive significant financial support from companies that depend on open-source code — Behlendorf said the automakers “care a little bit about all that” — others operate on shoestring budgets.
Federal agencies rely heavily on open source code, so funding targeted security reviews of specific software packages would be in the direct interest of the government.
“This is important critical infrastructure,” Brewer said, “and it needs the same kind of support as all other critical infrastructure.”
Two other solutions will require a combination of federal government and industry efforts.
The Log4j emergency shed light on federal efforts to create a standard approach for a feature called software nomenclature, a list of digital ingredients that would help software users understand where its code came from. By reviewing these ingredient lists, organizations could determine if they are using software that contains vulnerable code.
But few companies maintain accurate and complete inventories in their software, or have the technology to automatically process ingredient lists. “It’s definitely not a panacea,” Brewer said.
Still, “it’s going to be very difficult to move forward without an SBOM,” said Friedman, who oversaw SBOM work at the National Telecommunications and Information Administration before joining CISA. “Transparency in the software supply chain is going to be key…to understand where our exposures are, where our risks are, and where the opportunities for help lie.”
More important than any new technology, it is important to teach new coders about cybersecurity. College courses and online coding platforms “usually don’t talk” about security, Wheeler said. “We get exactly the kind of software we should expect when we don’t teach anyone” how to write secure code and spot bugs.
Congress, CISA, and NIST have devoted significant attention to cybersecurity education in recent years. Federal guidelines on software security programs and grants to schools that offer them could help improve security literacy.
Despite upsurges like the Log4j crisis, those most closely involved with open source security initiatives predict major ecosystem improvements over the next few years.
“The future is very, very bright,” Wheeler said. “Things are going to get better relatively soon, thanks to all the attention and effort people are putting into it.”