Google sponsors OSTIF security reviews of critical open source software
The Transform Technology Summits start October 13th with Low-Code/No Code: Enabling Enterprise Agility. Register now!
Let the OSS Enterprise newsletter guide your open source journey! Sign up here.
Google is giving its financial backing to the Open Source Technology Improvement Fund (OSTIF), with plans to sponsor security reviews in a handful of critical open source software projects.
Open source software plays an integral role in the software supply chain, and it is incorporated into many critical infrastructure and national security systems. However, data suggests “upstream” attacks on open source software have increased significantly in the past year. Moreover, after countless organizations — from government agencies to hospitals and corporations — were hit by targeted software supply chain attacks, President Biden issued an executive order in May outlining measures to combat it.
Today’s announcement comes less than a month after Google unveiled a $10 billion cybersecurity commitment to support President Biden’s plans to bolster U.S. cyber defenses. As part of its five-year investment, Google said it would help fund zero-trust program expansions, secure the software supply chain, improve open source security, and more.
Specifically, Google pledged $100 million to third-party foundations that support open source security.
The first fruits of this commitment will see Google fund OSTIF’s new managed audit program (MAP), with a view toward expanding its existing security reviews to more projects. OSTIF, a nonprofit organization founded back in 2015 to support security audits in open source technologies, initially identified 25 projects for MAP, which it says identifies “the most critical digital infrastructure.” From there, it prioritized eight libraries, frameworks, and apps “that would benefit the most from security improvements and make the largest impact on the open source ecosystem that relies on them.”
These eight projects are: Git, Lodash, Laravel, Slf4j, Jackson-core, Jackson-databind, Httpcomponents-core, and Httpcomponents-client.
It’s worth noting that Google’s investment isn’t entirely altruistic, as its own software and infrastructure relies heavily on robust open source components — the internet giant has announced a slew of similar open source-related security initiatives this year. Back in February, Google revealed it was sponsoring Linux kernel developers, for example, while a few months ago it introduced Supply Chain Levels for Software Artifacts (SLSA), which it touts as an end-to-end framework for “ensuring the integrity of software artifacts throughout the software supply chain.” The company also recently extended its open source vulnerabilities database to cover Python, Rust, Go, and DWF.
Although OSTIF is focusing MAP on just eight projects for now, it hopes to “significantly grow operations to support hundreds of projects in the coming few years.”
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more
Source: Read Full Article