After Log4j, White House fears the next big open source vulnerability

0
104

Jonathan Greig

Written by

Jonathan Greig, Staff Writer

Jonathan Greig

Jonathan Greig
Staff Writer

Jonathan Greig is a journalist based in New York City.

Full Bio

on January 13, 2022

| Topic: Open Source

The White House is holding a meeting today with Apache, Google, Apple, Amazon, and other major tech organizations to discuss software security and open source tools. This comes in the wake of the Log4j vulnerability that has caused shockwaves throughout the world since it was discovered in December. 

White House National Security Advisor Jake Sullivan asked for the meeting in December, noting in a letter to the companies that it was a “national security concern” for foundational open source software to be maintained by volunteers. 

The meeting, led by White House cybersecurity leader Anne Neuberger, includes officials from companies like IBM, Microsoft Corp, Meta, Linux, and Oracle as well as government agencies like the Department of Defense and the Cybersecurity and Infrastructure Security Agency (CISA).

Chris Inglis, National Cyber Director, said on Thursday that the situation around Log4j “has highlighted the need to improve our software security and the transparency of our software supply chain.” 

The Apache Software Foundation, which manages Log4j and is run by volunteers, released a bevy of documents ahead of the meeting explaining their stance and their efforts to shore up the vulnerability. Some of the documents offer a tacit defense of the organization’s response to the crisis, calling Log4j “an unfortunate combination of independently designed features within the Java platform.”

Apache noted that they have several hundred open source projects and oversee 227 million lines of code. 

During a press conference this week, CISA director Jen Easterly and CISA executive assistant director for cybersecurity Eric Goldstein told reporters that they have not seen any “high-profile breaches or attacks” related to the Log4J vulnerability outside of the attack on the Belgian Defense Ministry.

“This may be the case because sophisticated adversaries have already used this vulnerability to exploit targets and are just waiting to leverage their new access until network defenders are on a lower alert. Everybody remembers the Equifax breach that was revealed in September of 2017 was a result of an open-source software vulnerability discovered in March of that year,” Easterly said. 

Easterly said that as a result of Log4j, CISA is accelerating its efforts to create a “software bill of materials” (SBOM) and noted that they recently hired Allan Friedman, who previously led cybersecurity and SBOM efforts at the Commerce Department. Friedman is now working on coordinating SBOM efforts inside and outside the US government. 

Government – US

|
Enterprise Software

|
Linux

|
Developer

|
Security