Security team

Google will create a security team for open source projects

Google on Thursday announced the creation of a new “Open Source Maintenance Team” to improve the security of critical open source projects.

Google also unveiled two other projects — Open Source Insights’ Google Cloud Dataset — designed to help developers better understand the structure and security of the software they use.

“This dataset provides access to critical software supply chain information for developers, maintainers, and consumers of open source software,” Google explained in a blog post.

The tech giant said it would improve the OSS-Fuzz service for open-source developers that has helped researchers track down more than 2,300 vulnerabilities in more than 500 projects over the past year.

The announcements came after Google executives joined 80 other executives from several other companies in a meeting led by the Open Source Security Foundation (OpenSSF) and the Linux Foundation on progress on software security initiatives. open source over the months since they were all invited to a White House summit called by the National Security Council.

The White House meeting was called in light of serious concerns over attacks and significant vulnerabilities in critical open source libraries such as Codecov and Log4j.

OpenSSF was created in 2020 by leading tech companies to help direct, guide, and share open source security tools.

Apart from Google, the OpenSSF member list also includes GitHub, Microsoft, Canonical, Cisco, Facebook, Intel, HP, Tencent, IBM, Red Hat, Samsung, and many more.

At a press conference after the meeting, OpenSSF chief executive Brian Behlendorf said the organization had secured approximately $30 million in pledges from Amazon, Ericsson, VMware, Intel, Microsoft and Google to help fund a series of efforts to secure open source projects.

Almost all major software packages include open source software, including software used by the national security and critical infrastructure community.

Behlendorf added that the group is looking to expand beyond the United States and coordinate with international partners on open source security projects.

Several experts also talked about initiatives centered on software bills of materials — an effort the Cybersecurity and Infrastructure Security Agency is working on.

After Thursday’s meeting, Google executives explained that the open source maintenance team “will work directly to improve the security of critical open source projects.”

“In addition to this initiative, we have contributed ideas and participated in discussions about improving the security and reliability of open source software,” Google said.

They noted that OpenSSF “has become a community town hall to drive security engineering efforts, discussions, and industry-wide collaboration.”

Over the past few months, the companies have created a new vulnerability format developed and adopted by several open source ecosystems, including Python, Rust, Go and others.

Two weeks ago, OpenSSF announced a tool that can be used to scan popular open source repositories for malicious packages. Google has touted another project – Open Source Insights – which analyzes open source packages and provides detailed graphs of dependencies and their properties.

“With this information, developers can understand how their software is put together and the consequences of changing their dependencies, which, as Log4j has shown, can be serious when the affected dependencies are several layers deep in the graph of dependencies,” Google explained.

At the press conference following the meeting, Behlendorf pointed to a report compiled with researchers at the Harvard Laboratory for Innovation Science that listed free and open-source software used in production applications for thousands of companies.

The report highlighted potential areas of concern and helped security researchers find potential trouble spots. But he noted that as vulnerabilities are discovered every day, it’s nearly impossible to predict where the next major gaps will be.

“The only software that has no bugs is userless software,” Behlendorf said.

“So what’s important is how do you find them before the bad actors?” How to fix them as soon as possible? And then how do you get this fix out to the rest of the world? »

Jonathan has worked around the world as a journalist since 2014. Before returning to New York, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.