Google stands up to solve the challenge of continuing to maintain open source software like Log4j that has shaken the world for free

Since the source code of open source software is open to the public free of charge, it is difficult to sell the software and secure sales, and 'where to secure profits' is a very important issue for developers. Google has announced efforts to support engineers involved in the development and maintenance of such open source software.

Making Open Source software safer and more secure

Open source software continues to expand with its advent, and it has been pointed out that open source software developers are bringing value of over 10 trillion yen , making a significant contribution to the technology industry. On the other hand, the inability to secure sustainable income at the development site of open source software has long been regarded as a problem, and the vulnerability 'Log4Shell (CVE-) ' discovered in Java's Log4j library that had a great impact on the world. When 2021-44228) was discovered, it became clear that there were only three Log4j maintainers on GitHub. This highlights the fact that open source software and libraries are made possible thanks to a very small number of free volunteers.

Marak, the developer of the popular open source library colors.js, which is downloaded more than 2 million times a week, said, 'I want companies to stop using their own libraries for free.' Despite continuing to sue, the company never paid him, so he's been outraged to destroy the library and make it unusable. From this situation, you can see how difficult it is to secure income while developing and maintaining open source software and libraries.

The author finally got angry because he warned that large companies could provide financial support without using it free of charge, destroying colors.js and faker.js, which are downloaded more than 20 million times a week, and making them unusable --GIGAZINE

As you can see, even though open source software is embedded in many important infrastructures and national security systems, the work to fix the vulnerabilities in these is basically done on a volunteer basis. increase.

In addition, open source software is generally recognized as safe due to its transparency, but problems such as 'there are few people involved in maintenance' and 'it can have a big impact if a problem occurs' as in the case of Log4j. It can be said that you are holding.

Google is doing activities to raise awareness of such a situation, and it seems that it has invested millions of dollars (hundreds of millions of yen) in the development of frameworks and new protection tools. Specifically, as part of a plan to invest $ 10 billion to promote cyber security in 2021, we will expand the application of the supply chain level framework of software artifacts and make it a major open source. Promises to protect source components. In fact, we are investing $ 100 million to support independent organizations such as the Open Source Security Foundation (OpenSSF), which helps fix vulnerabilities.

However, Google claims that more work is needed to maintain and maintain open source software. Therefore, Google will attend the Open Source Software Security Summit held at the White House and will cooperate with the government to strengthen the collective cyber security of the United States through important fields such as open source software. Was announced. At this Open Source Software Security Summit, Google is making suggestions to make the open source software community a more sustainable community.

Google first said, 'We should make a list of important open source projects' to assess and improve software security, prioritize resources, and assist in allocation. Claims that a public-private partnership is needed.

He went on to argue that industry and government should work together to establish standards such as security, maintenance and testing so that infrastructure and other critical systems can rely on open source projects. Organizations like OpenSSF are already working on establishing standards.

And as more public and private investment is essential to keep open source projects healthy and safe, we have set up an organization to maintain open source and need support. Google is proposing to match this organization. 'We are ready to provide resources for this effort,' Google said.

'Given the importance of digital infrastructure in our lives, it's time to start thinking like physical infrastructure. Open source software is online,' Google said in a statement. It's the role that connects organizations to the world. It's the role we expect from roads and bridges in the real world. The White House conference recognizes our challenges and responds to them. It was to take an important step towards tackling the issue. To praise and support the efforts of the National Security Council, the National Cyber Bureau Director's Office, and DHS CISA to coordinate and address cybersecurity challenges. We look forward to continuing to play our role. '

Google CEO Sundar Pichai said, 'Protecting the open source software ecosystem is an important step in keeping people and their information online. An ongoing partnership to enhance cybersecurity. As part of this, we are pleased to share our recommendations with the White House and others. '

in Software,   Security, Posted by logu_ii