![]() Last May, the first steps were taken toward locking down software development for code used by the federal government.īuoyed by the Solarwinds supply chain attack, the administration issued an executive order that included a prominent section on enhancing software supply chain security that included the creation of guidelines to evaluate secure development practices. Tomorrow's White House meeting is a concrete step the Biden administration is taking toward proactively assessing the risks posed by open source software. Heartbleed put a lot of businesses at risk and reactively, the industry was forced to create groups to audit the code base and funnel money and development resources to the project. There was a skeleton crew maintaining OpenSSL at the time, woefully behind on updates, yet faithful to keeping the project on track. Heartbleed, the crypto vulnerability found in 2014 in OpenSSL, shone a harsh light on the lack of resources keeping OpenSSL afloat, despite the fact the software lived everywhere from commercial software, to smartphones, to industrial devices. Many open source projects are under-resourced and poorly funded these challenges often don't come to light unless a critical vulnerability surfaces. There are more than 300 projects listed on the Apache website it's unknown how many members and committers work on Log4j, for example. White House national security adviser Jake Sullivan went so far as to call the use of open source software as a " key national security concern." Not only is the lack of visibility into where open source software lives within commercial products a concern, but Williams added that many of these projects are run by "volunteers." The Apache Software Foundation maintains Log4j, and on its website, it says more than 850 individual members and 8,200 committers collaborate on the enterprise-grade software built and maintained by the foundation. The administration has prioritized cybersecurity of critical infrastructure since last year's very public attacks against Colonial Pipeline and other industrial companies, and a number of executive orders and industry-specific mandates emerged urging more visibility into the assets running the country's most critical services. Open Source 'Key National Security Concern' Log4j has stirred this reaction within the Biden administration, but this has been brewing for some time. Tomorrow, representatives from a number of cloud service providers, software development companies, and other tech leaders are scheduled to meet at the White House to discuss the prevalence and risks posed by open source software components. ![]() Instead, organizations are left with few other options other than to apply mitigations-if any are made available-hoping to blunt the impact of a publicly available exploit. This is particularly true in industrial environments, where legacy software continues to dominate, and the criticality of these bugs is further magnified because often downtime is unacceptable, and critical services cannot be easily turned off for software or firmware updates. These bugs don't go away because, despite the availability of patches and solid update advice, administrators aren't always aware of where these open-source components live inside either commercial or homegrown software applications. Severe open source software vulnerabilities such as the flaw found in December in the Log4j logging library are likely to pop up in penetration tests for a long time.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |