Tech giants pledge $30M to boost open source software security

 1 month ago
source link: https://finance.yahoo.com/news/tech-giants-pledge-30m-boost-135827247.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Tech giants pledge $30M to boost open source software security

Carly Page
Mon, May 16, 2022, 10:58 PM·2 min read

Tech giants including Amazon, Google and Microsoft have pledged millions of dollars to bolster the security of open source software.

The pledge was made during a meeting in Washington DC last week, which saw open source leaders, headed up by the Linux Foundation and the Open Source Software Security Foundation (OpenSSF), share their plans for enhancing the security of the software supply chain.

The industry gathering, which was attended by government leaders and over 90 executives from 37 companies, is a follow up to the historic White House summit in January convened in the wake of the Log4Shell zero-day vulnerability in January. The flaw affected the Apache’s Log4j library, a ubiquitous logging software, which put millions of devices worldwide at risk. But according to a study from March, almost a third of instances remain unpatched.

During last week’s meeting, companies including Amazon, Ericsson, Google, Intel, Microsoft, and VMware pledged a collective $30 million to fund a 10-point plan that aims to boost the security of open source software. Designed by the Linux Foundation and OpenSSF, the first-of-its-kind initiative aims to secure the production of open source code, improve vulnerability detection and remediation, and shorten patching response time. This will include the creation of a software bill of materials, known as an SBOM, allowing companies to gain visibility of the software that they are using in their tech stack.

The so-called Software Supply Chain Security Mobilization Plan also calls for security education for everyone working in the open source community, the elimination of non-memory safe programming languages like C+ and COBOL, and for annual third-party code reviews of 200 of the most critical open source software components.

The ultimate goal is to find and fix vulnerabilities like Log4Shell faster in an effort to better protect the U.S. from malicious cyberattacks that exploit insecure software platforms and devices.

About Joyk

Aggregate valuable and interesting links.
Joyk means Joy of geeK