Mountain View, California-based giant Google is calling for increased government involvement in identifying and securing critical open-source software projects. This came after the company participated in a summit on open-source security hosted at the White House on Thursday. In a blog post, Google’s president for global affairs and chief legal officer, Kent Walker said that a collaboration between governments and organisations is integral for open-source funding and management.
“We need a public-private partnership to identify a list of critical open source projects — with criticality determined based on the influence and importance of a project — to help prioritise and allocate resources for the most essential security assessments and improvements," Walker wrote in the blog post. He also called for an increased investment on both public and private sides to keep the open-source ecosystem secure, particularly when the software is used in infrastructure projects.
Walker said that most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, is done on an ad-hoc and volunteer basis. “Open source software code is available to the public, free for anyone to use, modify, or inspect. Because it is freely available, open source facilitates collaborative innovation and the development of new technologies to help solve shared problems. That’s why many aspects of critical infrastructure and national security systems incorporate it. But there’s no official resource allocation and few formal requirements or standards for maintaining the security of that critical code. In fact, most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, is done on an ad hoc, volunteer basis."
Google is calling for a public-private partnership to identify a list of critical open source projects to help prioritise and allocate resources for most essential security assessments and improvements. “In the long term, we need new ways of identifying software that might pose a systemic risk — based on how it will be integrated into critical projects — so that we can anticipate the level of security required and provide appropriate resourcing," the company said.