Cybersecurity

DC summit marks progress toward post-Log4j overhauls

Software attestation, developer education are key initiatives.
article cover

Francis Scialabba

· 3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

The Log4j catastrophe exposed countless servers and applications to a major vulnerability in the Java-based logging platform, empowering bad actors to infiltrate or hijack devices. More than two years after the flaw came to light, there’s one silver lining: The government is paying attention.

At the second Secure Open Source Software Summit, Biden administration leaders like acting national cyber director Kemba Walden and deputy national security advisor Anne Neuberger convened alongside big industry players to map out strategies for a safer software ecosystem.

The event, which ran from Sept. 12–13, showcased the momentum driving the development and implementation of protocols to make open-source software components more transparent and traceable, attendee Moran Ashkenazi, chief security officer at software platform JFrog, told IT Brew.

“It’s clear to them how crucial, how critical it is,” she said of the government’s commitment to open-source improvements. “Open source leads to technology, leads to business, and eventually, to every civilian’s life. That’s a line that is super clear to the government. And therefore it’s funded.”

The summit, organized by the Open Source Security Foundation (OSSF) and held next door to the White House, also showed off significant progress toward practical steps that will limit the impacts of corrupted open-source code in the future, JFrog product manager Sharan Hiremath told us.

He noted that tens of thousands of developers have now completed the OSSF’s secure software development training, and most code repositories are committed to hosting software that’s been verified and signed off on by its creators.

“Every public binary that you will be downloading from open source will be signed, so you can say, ‘Oh, yeah, this is the official one.’ Nobody [made] a copy and modified [it], for example,” Hiremath said.

The industry is also mobilizing around the OSSF scorecard, a consumer-facing tool released in 2020 that’s meant to incentivize open-source developers to use security best practices.

“The power of the consumers to look for that as well, [to] require that—it’s a very high motivator for the contributors to make sure they get high scores,” Ashkenazi said.

Another positive benchmark? The number of women on stage at the Ronald Reagan Building.

“The diversity of speakers was amazing, something I have never seen before,” Ashkenazi said, noting that such diversity didn’t exist 25 years ago when she joined the industry. “I was sitting there, just so happy to see that has changed.”

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.