top of page


  • Matthew Spencer - Tech Journalist

Google making open-source software safer and secure vs Private companies hoarding the data

Tech giant Google recently participated in the White House Open Source Software Security Summit on building collective security concerns. Questions raised on the open-source software model and how it benefited private companies.

The White House gathering brought insights on the open-source community division vs the private sector. The private sector hugely leverages the open-source model, but the problem is anyone can work with it.

It's not much of a problem as the open-source model is built to give everyone access to base grade appliances. On top of which companies can develop their own.

A publication by Ken Walker, President of Global Affairs & Chief Legal Officer at Google & Alphabet, revealed exciting information. Participation in the White House Open Source Software Security Summit was genuinely fascinating. It brought together insight from one of the largest tech sources in the world with government movements.

The recent Log4j open-source vulnerability shook the world and showed us many things. Coming together in bringing prosperity requires facing troubles and tackling them in the first place. That's the conclusive information. If we take a deep dive and check safeguarding resources on open-source tools, there are various problems for troubleshooting.

Let's see how the open-source model makes stuff vulnerable. Open-source projects are freely accessible to anyone: us, you, malicious group, students, IT managers, everyone. On the flip side, it stays there for an indefinite amount of time, giving malicious attackers hacker groups lots of time to experiment.

When organisations or private sectors use the code and modify it for their own needs, the basic structure stays the same. It is easy to manipulate vs the company's software and kept private.

Though Log4j vulnerability exploitation took place a month back, companies are still struggling. The struggle is real when the whole infrastructure depends on an open-source model, and there are many loopholes similar to the one Log4j utilise.

Identifying enterprise stacks to prevent Log4Shell's disclosure came as an imminent threat to tackle. The whole open-source community and private sector is working hand to hand to find different solutions. So, it doesn't happen again.

But we all know, in the online realm, nothing is 100 per cent secure. It's just a matter of time before a new vulnerability comes out. Examples are there.

Because open-source software code is freely available, it's a shared knowledge worldwide. The open-source collaboration process has brought us more fascinating ideas and programs than all the private sectors combined. This means we can't throw away the idea of not using open-source software codes.

Organizations and individuals thought it was more secure and transparent because of the open-source model for a more extended period. Meaning most assumed they know what's underneath the hood.

In reality, there are 'many eyes' watching to detect problems. Some projects have way too many eyes than needed, where security issues build.

Google, among many things, gives extra priority to security. Their plans for cybersecurity advancement awareness raised $10 billion. Million are invested in developing frameworks and new protective tools. Open-source projects such as Linux is also a part of Google's keen attention.

Their pledge to expand Supply Chain levels for Software Artifacts (SLSA or 'Salsa') is excellent to use on open-source architecture. SLSA or 'Salsa' is developed to protect open-source components, including a $100 million pledge to support independent organisations.

The Open Source Security Foundation (OpenSSF), being one of them, will help fix vulnerabilities.

A key component to protect open-source projects is identifying critical tasks at the primary steps. It's followed up by establishing security measures with maintenance and testing baselines—lastly, increasing public and private support in the critical infrastructure that depend on the open-source model.


bottom of page