This week something remarkable happened. The US Senate held a non-partisan committee hearing called "Responding to and Learning from the Log4Shell Vulnerability".
It was led by Chairman Gary C. Peters of Michigan and Ranking Member Rob Portman of Ohio, and get this; they actually knew what they were talking about. They understand that there are complexities of the open source supply chain and are looking for ways government policy can help the community with support and resources.
The four witnesses are industry veterans who, in my opinion, did a fantastic job in their statements and answering questions from other senators in the Homeland Security & Governmental Affairs Committee. Especially David Nalley (ASF President) and Jen Miller Osborn (Unit 42, Palo Alto Networks). Read their statements: David and Jen.
The new package bill was introduced amid calls for increased government support of open-source software development.
Cisco, Palo Alto, Apache execs look at Log4j vulnerability responses, and the likelihood of future issues.
In a U.S. Senate hearing on Tuesday, the Apache Software Foundation and leaders from Cisco, Palo Alto Networks and The Atlantic Council discussed open source
Every stakeholder in the software industry, especially the federal government and major customers, should be investing in supply chain security, Nalley said.
Sarah Gran and Josh Aas of ISRG go in-depth about their work on Prossimo to bring memory safe code to critical digital infrastructure and some other projects they are investing in this year.
"Log4Shell has rightfully highlighted the urgent need for ongoing conversations about open source software security" - Jen Miller-Osborn
Disclaimer: All links that I (Justin) post in any newsletter issue are what I find interesting and or thought-provoking. I don’t agree with everyone but do value their perspectives.