You are here: Home » International » News » Companies
Business Standard

Google calls for govt help to secure critical open-source software

Google has called for a public-private partnership to identify a list of critical open source projects and find new ways of identifying software that might pose a systemic risk.

Topics
Google | Microsoft | White House

IANS  |  Washington 

Google
Google said the collaboration between government and the private sector was needed for open-source funding and management.

has called for a public-private partnership to identify a list of critical open source projects and find new ways of identifying software that might pose a systemic risk, as the world grapples with the recent log4j open source software vulnerability that has put millions of devices at hacking risk.

Following a summit on open-source security hosted at the on Thursday, said the collaboration between government and the private sector was needed for open-source funding and management.

"We need a public-private partnership to identify a list of critical open source projects -- with criticality determined based on the influence and importance of a project -- to help prioritise and allocate resources for the most essential security assessments and improvements," said Kent Walker, president for global affairs and chief legal officer at and Alphabet.

Open source software code is available to the public, free for anyone to use, modify, or inspect.

Since it is freely available, open source facilitates collaborative innovation and the development of new technologies to help solve shared problems.

"That's why many aspects of critical infrastructure and national security systems incorporate it. But there's no official resource allocation and few formal requirements or standards for maintaining the security of that critical code," said Google.

In fact, most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, is done on an ad hoc, volunteer basis.

"Longer term, we need new ways of identifying software that might pose a systemic risk -- based on how it will be integrated into critical projects -- so that we can anticipate the level of security required and provide appropriate resourcing," Google noted.

The 'Log4j' vulnerabilities represent a complex and high-risk situation for across the globe.

This open-source component is widely used across many suppliers' software and services.

"Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities," according to

Cyber criminals are making thousands of attempts to exploit a second vulnerability involving a Java logging system called 'Apache log4j2'.

Google recently said that more than 35,000 Java packages, amounting to over 8 per cent of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed vulnerabilities with widespread fallout across the software industry.

The Apache Software Foundation has released several updates in the wake of the widespread 'Log4Shell' vulnerability in Log4j version 2 branch.

--IANS

na/svn/dpb

(Only the headline and picture of this report may have been reworked by the Business Standard staff; the rest of the content is auto-generated from a syndicated feed.)

Dear Reader,


Business Standard has always strived hard to provide up-to-date information and commentary on developments that are of interest to you and have wider political and economic implications for the country and the world. Your encouragement and constant feedback on how to improve our offering have only made our resolve and commitment to these ideals stronger. Even during these difficult times arising out of Covid-19, we continue to remain committed to keeping you informed and updated with credible news, authoritative views and incisive commentary on topical issues of relevance.
We, however, have a request.

As we battle the economic impact of the pandemic, we need your support even more, so that we can continue to offer you more quality content. Our subscription model has seen an encouraging response from many of you, who have subscribed to our online content. More subscription to our online content can only help us achieve the goals of offering you even better and more relevant content. We believe in free, fair and credible journalism. Your support through more subscriptions can help us practise the journalism to which we are committed.

Support quality journalism and subscribe to Business Standard.

Digital Editor

First Published: Fri, January 14 2022. 11:14 IST
RECOMMENDED FOR YOU
.