Tech giants have pledged millions of dollars to bolster the security of open source software.
The pledge was made during a meeting in Washington DC last week, which saw open source leaders, headed up by the Linux Foundation and the Open Source Software Security Foundation (OpenSSF), share their plans for enhancing the security of the software supply chain.
The industry gathering, which was attended by government leaders and over 90 executives from 37 companies, is a follow up to the historic White House summit in January. Millions of devices were at risk because of the flaw in the Apache Log4j library. Almost a third of instances remain unpatched according to a study from March.
During last week's meeting, companies pledged a collective $30 million to fund a 10-point plan that aims to boost the security of open source software. The first-of-its-kind initiative aims to secure the production of open source code, improve vulnerability detection and remediation, and shorten patching response time. The creation of a software bill of materials will allow companies to see the software they are using in their tech stack.
The elimination of non-memory safe programming languages like C+ and COBOL and annual third-party code reviews of 200 of the most critical open source software components are included in the Software Supply Chain Security Mobilization Plan.
The ultimate goal is to find and fix vulnerabilities like Log4Shell faster in an effort to protect the U.S. from malicious cyberattacks.
Brian Behlendorf, executive director of OpenSSF, said that they are working together to come up with a set of ideas and principles to fix what is broken.
The open source maintenance crew will be a team of dedicated engineers that will work with upstream maintainers in order to boost the security of various open source projects.
Open source developers, who work for free, are discovering they have power
All Rights Reserved © 2024
