Solving open-source security, one summit at a time

Representatives from some of the biggest tech companies in the U.S. spent more than five hours Thursday locked in discussions with the White House about what to do about a pressing problem: the security of the open-source projects that are the foundation of the modern economy.

This is not a new problem;the Heartbleed OpenSSL vulnerability in 2014 should have been enough of a wake-up call for both the government and private industry, but almost eight years later, here we are. Thursday’s summit was prompted by the discovery last month of the Log4j vulnerability, and as GitHub Chief Security Officer Mike Hanley told Protocol Enterprise after getting out of the meeting, “there will be another big deal at some point in the future that we’re going to need to respond to.”

• The meeting was organized as a group discussion, rather than a presentation, which meant all representatives present got a chance to speak and later assembled in breakout rooms to discuss specifics.
• The emphasis was on finding ways for the public sector and private sector to work together to identify the challenges inherent in securing open-source software.
• “One of the things that stood out about just the existence of this thing is the government's recognition of the importance of open-source software,” said Robert Blumofe, CTO at Akamai and meeting participant. “It wouldn't have been completely inconceivable for the government to start to take a very negative approach and say, ‘well, we can't trust open source,’ or view open source as the scapegoat.”

One key conclusion reached by the group? Open-source projects can’t be treated like corporations affected by the Biden administration’s May 2021 cybersecurity executive order, which participants otherwise recognized as an important step forward.

• Simply identifying which open-source projects need security assistance is a daunting task: “One organization, Log4j might have been in their top 10 list of most important software, if you ask them about it, and another organization it might have been number 4,221,” Hanley said.
• The group discussed “finding ways to support open source in a way that doesn't overburden the developers, but rather actually supports the developer and the developer community with tools, with education, with support, and things like that,” Blumofe said.

Still, consumers of open-source software — almost all modern enterprise tech vendors and buyers at this point — also need to do their part to improve open-source security.

• The group discussed settling on “baseline standards for security, maintenance, provenance, and testing,” according to Google, which Blumofe said would help companies build compliance practices around open-source security.
• It sounds like OpenSSF — which is part of the Linux Foundation — will be relied upon to help moderate future discussions between the enterprise megavendors, which do not always share the same priorities.
• Those companies also need to improve their relationships with the open-source projects they rely on to run their business or build their products.
• “You certainly can't expect an open-source developer to contemplate the various ranges of implementations that their software could be incorporated into,” Hanley said.

Meetings such as Thursday’s summit only help if they are followed by concrete action. The White House is expected to follow up in the next few days with some specific proposals as well as a plan for a second meeting involving major tech CEOs, according to several participants.

— Tom Krazit (email |twitter)

A MESSAGE FROM CLARI

Think success is predictable? Join the Club. Watch the season premiere of Clari's Club Revenue on Nasdaq as Pilar Schenk, COO of Cisco Collaboration, unpacks the rapid growth trends driving the future of revenue.

Learn more

Building guardrails for low-code AI

Ebay chief artificial intelligence officer, Nitzan Mekel-Bobrov, is on a mission to make eBay what he calls an “AI-first company.” What exactly does that look like?

“You’ll be seeing more products rolling out, especially on our mobile platform, to close the gap between ecommerce and physical retail to enable buyers to experience products in an immersive way so they have full confidence in their buying decision,” said Mekel-Bobrov in an interview this week with Protocol. The December launch of its AI-based 3D product view technology was just the beginning of eBay’s strategy to bring computer vision, natural-language processing, streaming and computer graphics to its site.

Getting to AI-first means taking domain-specific AI strategies used inside the marketing and advertising science teams and buyer experience divisions, and then “feeding into the broader enterprise-wide strategy around maturing our AI,” he said.

But that does not mean letting eBay-ers run rampant by using no-code and low-code AI tools without best practices and safeguards in place. Mekel-Bobrov is setting up an internal group to develop data and AI governance standards for use of low-code AI tech.

“We have to be very careful as we do this because we need to understand what’s being put into production in front of our customers,” he said. “With AI, the piece of software could be performing correctly, but you need to monitor it because the world changes and it’s reacting to the world.”

Upcoming at Protocol

We’ve talked at length about the promise of low-code and no-code software development tools to make companies more efficient and allow a bigger percentage of the population to create software, but how can companies implement those tools inside their organizations most effectively? Join Protocol’s Kevin McAllister on Jan. 19 at 10am PT for a virtual event with Nutanix CIO Wendy M. Pfeiffer and Kerim Akgonul, chief product officer at Pegasystems, in discussion about the best ways to make low-code and no-code tools work for you. Sign up here.

Enterprise moves

Karen Pavlin is ServiceNow’s new chief equity and inclusion officer. Pavlin formerly led Accenture’s equality efforts as managing director and North America inclusion and diversity leader.

John Allessio has been named chief customer officer at Digital.ai, a DevOps management platform. Allessio formerly held customer-facing roles at IBM Software Group, Red Hat and PROS.

Dustin Grosse has been appointed chief marketing and strategy officer for Talend, a data integration and governance company. Grosse has held marketing roles at DocuSign and Microsoft.

Rob Dillon is the new CFO for data analytics company Incorta. Dillon formerly led Navis through its divestiture from Zebra Technologies.

Around the enterprise

Intel is reportedly building a new semiconductor factory in Ohio to bolster its manufacturing capability.

Databricks launched Lakehouse for Retail, an analytics platform that helps retailers gain insights from their data.

Databricks CEO Ali Ghodsi isn’t concerned about the cloud stock slide, saying growth rates will determine valuations. The company is widely expected to file for an IPO this year.

Cloudastructure, an infrastructure platform for video surveillance, is buying smart-parking startup Visionful.

Orca Security discovered a vulnerability in AWS CloudFormation that could have been used to leak sensitive files but was plugged through the responsible disclosure process, and it doesn’t appear to have been exploited.

A MESSAGE FROM CLARI

Club Revenue breaks down the tactics of the sharpest minds shaping the digital transformation of sales.

Hosted by Clari's Cornelius Willis and presented by Nasdaq, each episode features a revenue virtuoso and their creative strategies for high performance and explosive growth. Watch now to learn how to transform your sales teams into revenue machines.

Learn more