Last week, I attended the White House Open Source Software Security Summit, along with VMware’s Chief Security Officer, Alex Tosheff, and Michael Kennedy, our VP of Global Government Relations and Public Policy. Led by Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, the summit was attended by both private industry (including Google, Facebook, Apple, Microsoft, GitHub, the Apache Software Foundation, the Linux Foundation, and others) and government agencies, including the Cybersecurity and Infrastructure Security Agency, the Commerce Department, the Department of Defense, the National Security Council, the National Institute of Standards and Technology, the National Science Foundation, and Homeland Security.
The gathering was precipitated by the Log4j vulnerability, a hole in a ubiquitous open-source logging framework for java applications. But Log4j is just the latest poster child for the real issue: how can we ensure source code, build, and distribution integrity in open source software (OSS)?
Attendees surfaced important focus points, such as how to prioritize the issues related to OSS security, how to develop a set of best practices, how to gauge our progress as we make changes, and how to influence and educate OSS maintainers and developers. We also discussed defining a complete Software Bill of Materials (SBOM), the structured list of components, libraries, and modules required to build OSS, and the supply-chain relationships between them.
While the SBOM is a good place to start, it is just that — a start. We need to educate all of the personas involved with the OSS ecosystem. We need to engineer software in such a way that security is inherently baked in and design tooling such that the easiest path is also the secure path.
VMware is deeply invested in OSS. Not only do we contribute to some of the world’s most important OSS projects, but we also make contributions in many different ways, including our participation in organizations such as the Open Source Security Foundation (OpenSSF) from the Linux Foundation. OpenSSF is a cross-industry collaboration that addresses multiple initiatives under one umbrella to identify and fix cybersecurity vulnerabilities in OSS. (Check out my recent blog “OpenSSF: Tackling Software Security with an Ecosystem Approach” and our response to the White House — which includes our recommendations — to learn more.)
There are many complex issues to sort out. But I am confident that through effective private- and public-sector collaboration, we can develop effective solutions.
I invite you to share your own perspectives and experience with OSS security in the comments. I look forward to hearing your thoughts.