Google has urged the US government to be more proactive in identifying and protecting vital open source initiatives for internet security. Kent Walker, president of global affairs and chief legal officer at Google and Alphabet, said the US needs a public-private collaboration to properly fund and staff the most important open source projects in a blog post released after the White House’s Log4j vulnerability summit on Thursday.
“For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that ‘many eyes’ were watching to detect and resolve problems,” he said. “But in fact, while some projects do have many eyes on them, others have few or none at all.”
According to Walker, the partnership would assess a project’s influence and importance in order to evaluate how important it is to the ecosystem as a whole. Looking ahead, he believes the industry will require new methods for identifying software that could represent a systemic risk to internet security in the future.
More public and private money is also needed, according to Walker, who added that Google is willing to contribute to an organisation that matches volunteers from firms like its own to essential initiatives in need of assistance. “Open source software is a connective tissue for much of the online world — it deserves the same focus and funding we give to our roads and bridges,” he said.
Following the revelation of the Log4Shell vulnerability, there has been a lot of discussion about the relevance of open source software. With services like Steam and iCloud relying on it, Log4j is one of the most popular and frequently used logging libraries. Marcus Hutchins, a security researcher who assisted in the containment of WannaCry, described the flaw as “very dangerous,” as it exposed millions of applications open to attack.
