Log4j, the White House interrogates Apple, Amazon and Google on security Start Magazine
The White House met with executives from Apple, Amazon, Google, Meta and IBM and beyond to discuss software security following multiple attacks on the United States that exploited open source software
Apple, Google, Amazon, Facebook and other tech giants called to Washington to explore security threats from open source software addictions. Yesterday, executives from major US technology companies attended a White House meeting on cybersecurity. The first was reported by Reuters. The meeting comes as a result of multiple attacks on the United States that have exploited open source software. In December, White House National Security Advisor Jake Sullivan sent a letter to CEOs of tech companies after the discovery of a security vulnerability in open source software called Log4j. The flaw in Log4j is a zero-day vulnerability (CVE-2021-44228) that first emerged on December 9th. The bug makes the Java language used by millions of web servers vulnerable to attack, and teams around the world are trying to fix affected systems before hackers can exploit them. In the letter, Sullivan noted that such open source software is widely used. Therefore it represents a "key national security concern". As Reuters notes, cybersecurity is a top priority for the Biden administration after several major cyber attacks last year. All the details. THE MEETING AT THE WHITE HOUSE At the center of the January 13 meeting, hosted by Deputy National Security Advisor for Information and Emerging Technology, Anne Neuberger, concerns about the security of open source software and how it can be improved. This was stated by the White House in a statement. COMPANIES THAT HAVE PARTICIPATED In addition to Apple, Google and Amazon, the other technology companies present at the meeting were: IBM, Microsoft, Meta Platforms which owns Facebook. The Apache Software Foundation, the owner and maintainer of the Log4j library, and Oracle, the owner of the Java software platform on which the Log4j library runs, also took part in the summit. GitHub and the Linux Open Source Foundation were also represented, according to The Verge. TOGETHER WITH FEDERAL AGENCIES In addition, in addition to representatives of the technology industry, government agencies were also present, including the Department of Homeland Security; the Department of Defense and the Department of Commerce. Other agencies include the Cybersecurity and Infrastructure Security Agency (Cisa), the National Institute of Standards and Technology, and the National Science Foundation, according to Cyberscoop. AFTER SOLARWINDS, THE FEARS ABOUT THE FOUL IN LOG4J The discovery of the vulnerability in the open source software Log4j therefore made the meeting urgent. This discussion also comes after incidents including the 2021 SolarWinds hack that gained access to government emails and phones. It also follows the violation of the US Treasury Department in 2020. In May 2021, well before Log4j's vulnerability was discovered, President Biden issued an executive order on improving US cybersecurity. Among other things, the order required federal government agencies to strengthen their software supply chains "guaranteeing and attesting, to the extent possible, the integrity and provenance of open source software."
COMMENT: we have created a software test system that compares the lines of code with the lines executed in the various tests, obtaining the untested lines that could be the source of future problems. Everything works, just divide the code into use cases according to the methodology currently adopted in the main software farms.