The Biden administration has emphasized the importance of strong security standards in open-source software development during a two-day summit attended by technology companies, banks, and industry groups.
Anne Neuberger, deputy national security adviser for cyber and emerging technology, stated that the administration wants companies to expand their use of software bill of materials, which provide details about the components of a product or program. The White House also called for companies to conduct exercises using these inventories to assess how easily vulnerabilities or flaws can be remedied.
This summit in Washington, D.C. follows a similar one at the White House in January 2022. The January meeting was prompted by the disclosure of a vulnerability in Log4j, a popular open-source program that tracks network activity. The disclosure led to security teams working during the Christmas period to fix the flaw, which was described by Jen Easterly, director of the Cybersecurity and Infrastructure Agency, as one of the most severe she had encountered in her career.
The meeting was attended by senior administration figures such as Kemba Walden, the acting National Cyber Director, as well as officials from CISA, the Energy Department, and the National Science Foundation. Financial institutions like Citigroup, JPMorgan Chase, and Bank of America were also present, along with technology companies Microsoft, Google, and International Business Machines.
The U.S. government has prioritized open-source security since the Log4j disclosure and the compromise of software at SolarWinds in 2020. The National Cybersecurity Strategy, published in March, outlines specific steps the government plans to take to address the issue. On Tuesday, CISA published a road map detailing how it intends to engage with the open-source community and strengthen the secure use of open-source software within federal agencies.
The meeting aimed to address concerns within the open-source community that companies are not being sufficiently diligent in managing their use of software. The Maven Central repository, operated by cybersecurity company Sonatype, reported that almost 30% of Log4j downloads since the vulnerability disclosure were earlier, flawed versions published before the patch.
Some experts have emphasized the need for companies to invest more time into deciding which open-source software to use and improving inventory management. Dan Lorenc, CEO of open-source security company Chainguard, stated that while a magic wand or executive order cannot guarantee the security of all open-source software, companies can be encouraged to prioritize security and better manage their inventories.
Contact James Rundle at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
Denial of responsibility! Vigour Times is an automatic aggregator of Global media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, and all materials to their authors. For any complaint, please reach us at – [email protected]. We will take necessary action within 24 hours.
