Amazon, Google, VMware talk open source security at White House

Amazon, Google, IBM, Microsoft and VMware headed to the White House on Thursday for a meeting with government officials on how to make open source software more secure, following the recent discovery of a critical flaw in a commonly used open source logging tool.

Other major players, including Apple, Cloudflare, Facebook/Meta, Oracle, Red Hat, the Apache Software Foundation, GitHub, Linux Foundation and Open Source Security Foundation also attended. A number of key government officials were also there, including the Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, National Cyber Director Chris Inglis, and representatives from the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology, the National Science Foundation and the Departments of Defense, Commerce, Energy and Homeland Security.

A readout of the meeting showed the discussion focused on how to prevent vulnerabilities in open source code and packages, improve the process for finding flaws and reduce the time it takes to implement fixes for those weaknesses.

RELATED: IBM and McAfee primary backers of new open source cybersecurity group

The summit comes after the discovery of a vulnerability in Apache’s Log4J open-source software. Log4J is a utility library which is used to record security and performance information for computer systems. According to the CISA, it is widely used in consumer and enterprise services, websites and applications.

Microsoft previously noted in a blog addressing the issue that because Log4j is a component “the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment.”

RELATED: Microsoft invests in Rubrik to boost Zero Trust efforts amid ransomware boom

The group at the White House mulled ways to integrate security features into open source development tools and secure the infrastructure that is used to build and house code. They also talked about how to prioritize the most important open source projects, and how to broaden the use of “Software Bills of Material” which outline what components are in a given software package.

VMware CTO Kit Colbert in a statement called the meeting “incredibly constructive” and said the company looks forward to “continued engagement between the White House and industry” to address the issue.

Kent Walker, President of Global Affairs and Chief Legal Officer at Google and Alphabet, said in a blog following the meeting the Log4J problem “shows that we need the same attention and commitment to safeguarding open source tools” as is devoted to proprietary software.

He added that in the longer term, the industry will need to develop “new ways of identifying software that might pose a systemic risk — based on how it will be integrated into critical projects — so that we can anticipate the level of security required and provide appropriate resourcing.”