Trouble viewing this email?  View in web browser ›

The Wall Street Journal ProThe Wall Street Journal Pro

CybersecurityCybersecurity

Sponsored by NetscoutNetscout

Cyber Daily: Open-Source Groups Call On Tech Giants for Security Help

By James Rundle

 

Good day. Major technology companies and government agencies held a second meeting on open-source software security in Washington, D.C. on Thursday, following a January gathering organized by the White House.

The aim of the meeting, attendees said, was to flesh out the challenges associated with securing open-source technology. The Open Source Software Foundation and the Linux Foundation, which convened the summit, published a 50-page plan, and a number of companies pledged funding to make it happen.

More on what took place, below, plus Weekend Reading.

CONTENT FROM OUR SPONSOR: Netscout

David, Goliath, Meet Gafgyt and Mirai

60% of executives believe the Internet of Things will play an important role in digital business. Meet the two botnets that stand in their way, having accounted for more than half of DDoS attacks.

Read More

NEWSLETTER EXTRA | Open-Source Security

Educating developers on security, dedicating resources for vulnerability response and developing software bills of material were among the key topics discussed at the summit.

While the January meeting on open source was held in the immediate aftermath of the Log4shell vulnerability disclosure, which sent security teams scrambling to patch systems over the holidays and into the new year, this summit was about developing clear plans to tackle issues, attendees said.

“I think it was an opportunity for the industry to come together and say that we can greatly learn from that episode, and now, here are some of the things that we think we can do together to make this much improved going forward. And so I do think it was a significant improvement from the first meeting,” said Jamie Thomas, general manager of systems strategy and development at IBM. 

PHOTO: THE WALL STREET JOURNAL

Ms. Thomas said government attendees included Anne Neuberger, President Biden’s deputy national security adviser for cyber and emerging technology, who also participated in the January meeting. The event was held one year after an executive order issued by Mr. Biden also set government wheels in motion on cybersecurity, which in part mandated work on open-source security.

The plan published today by the Open Source Software Foundation and the Linux Foundation is also clear on a major point: Fixing the security issues with open-source software will take time and money. The plan calls for around $50 million in funding for the first two years, with funding for future years to be determined.

Delivering security certifications and training for open-source developers will likely cost $4.5 million in the first year alone, the plan says. Similarly, ensuring that open-source components are digitally signed is estimated to cost $13 million in the first year. Establishing a team at the OpenSSF which can respond to vulnerabilities and provide support for developers is estimated to cost around $3 million per year.

“We realize that's a meaningful amount. We realize that is an amount that, from some degree, is much more than any open-source developer has, or even most open source projects, but when you compare it to the cost of remediating a major vulnerability like we've seen in the last few years, it’s a drop in the bucket,” said Brian Behlendorf, general manager of OpenSSF, during a press conference held after the meeting.

Much of that funding will be met by the largest companies. Around $30 million has already been pledged by Alphabet, Amazon, Ericsson AB, Intel, Microsoft and VMware, Mr. Behlendorf said.

For others, the meeting was a validation of long-held concerns about the security of open-source software, and a recognition that freely available technology still requires resources to maintain.

Brian Fox, chief technology officer of open-source security company Sonatype Inc. said that while previous efforts to fortify security in this area didn’t have the desired impact, such as those initiated by the Linux Foundation after the Heartbleed vulnerability in 2014, he felt confident lasting change was possible now due to the collective effort on the plan.

“That's the first time that we've attempted to solve it this way. I think that effort will lead to actual concrete actions now, instead of people just coming together and talking about it,” he said.

— James Rundle

 
Share this email with a friend.
Forward ›
Forwarded this email by a friend?
Sign Up Here ›
 

More Cyber News

Listen: How are cyber leaders from the U.S. and U.K. tackling hacking and ransomware risks as the war in Ukraine continues? At The Wall Street Journal’s recent CEO Council Summit, we spoke with Lindy Cameron, head of the U.K.’s National Cyber Security Centre, and Anne Neuberger, U.S. deputy national security adviser on cyber and emerging tech. 

33 Million

Number of cyber alerts sent to more than 4,600 organizations by the U.K.'s National Cyber Security Centre in 2021. 

 

Join us at the WSJ Pro Cybersecurity Forum on June 1

 

The agenda includes discussions with corporate cyber leaders and policy makers on running a global program, risks in M&A, the outlook for regulation, congressional priorities and more. See the full program here. 

 

Register for a discounted ticket here using the code WSJPro30.

 
Advertisement
‏‏‎ ‎
 

Weekend Reading

PHOTO: JUSTYNA MIELNIKIEWICZ/MAPS FOR THE WALL STREET JOURNAL

They Fled Ukraine to Keep Their Cyber Startup Alive. Now, They’re Hacking Back.

PHOTO: JIM BOURG/REUTERS

Businesses Seek to Soften SEC Cyber Rules

PHOTO: MIKE BLAKE

/REUTERS

U.S., U.K., EU Blame Russia for Cyberattack on Satellite Provider Viasat

PHOTO: GETTY IMAGES

/ISTOCKPHOTO

Abnormal Security Raises $210 Million in Series C Funding Round

PHOTO: SETH WENIG

/ASSOCIATED PRESS

Clearview AI Agrees to Limit Sales of Facial Recognition Database

 

About Us

Write to the WSJ Pro Cybersecurity Team: Kim S. Nash, James Rundle, Catherine Stupp and David Uberti.

Follow us on Twitter: @knash99, @catstupp and @DavidUberti. 

Contact Enterprise Technology Editor Steve Rosenbush at steven.rosenbush@wsj.com or follow him on Twitter: @Steve_Rosenbush.

 
Desktop, tablet and mobile. Desktop, tablet and mobile.
Access WSJ‌.com and our mobile apps. Subscribe
Apple app store icon. Google app store icon.
Unsubscribe   |    Newsletters & Alerts   |    Contact Us   |    Privacy Notice   |    Cookie Notice
Dow Jones & Company, Inc. 4300 U.S. Ro‌ute 1 No‌rth Monm‌outh Junc‌tion, N‌J 088‌52
You are currently subscribed as [email address suppressed]. For further assistance, please contact Customer Service at pro‌newsletter@dowjones.com or 1-87‌7-975-6246.
Copyright 2022 Dow Jones & Company, Inc.   |   All Rights Reserved.
Unsubscribe