On May 12, at the White House Open Source Software Security Summit, Google discussed open source security initiatives with the Linux Foundation , the Open Source Software Security Foundation (OpenSSF), and other industry leaders, and announced the formation of an “Open Source Maintenance Team.” This is a team of developers who will work on securing upstream open source projects, from tightening configurations to deploying updates.
Google eyes open source software security
The summit is a follow-up to a White House discussion session on open source security in January, where attendees discussed the critical role of open source software in the industry and how to better address the issues open source maintainers have when it comes to improving the security of their projects. challenges. Among them, one of the main challenges is the lack of financial and human resources to prevent, find and fix systemic security breaches.
“Given the importance of digital infrastructure in our lives, it’s time to start thinking about it the same way we do physical infrastructure. Open source software is the connective tissue of much of the online world – it deserves our place as roads and bridges Provide the same attention and funding,” Kent Walker, Google’s president of global affairs and chief legal officer, said after the January meeting.
The size of the new open source maintenance team has not been disclosed, but it could be substantial given the amount of resources at Google’s disposal, and which open source projects the team chooses to maintain will also depend on a number of factors.
On the financial front, Google last year committed $10 billion over the next five years to help improve cybersecurity through various programs and initiatives, including $100 million to support organizations like OpenSSF. Additionally, Google has created the Open Source Insights project, which provides a dependency graph for all open source packages.
“The project analyzes open source packages and provides detailed diagrams of dependencies and their properties. With this information, developers can understand how their software fits together and the consequences of changes in their dependencies – as Log4j shows, This can be serious when the affected dependencies have many layers in the dependency graph,” Google said in a blog post.
Ten goals established by the open source software ecosystem
Last year, the Biden administration issued an executive order to improve the security of the software supply chain, and this security summit comes just one year after the Biden administration issued an executive order to improve the security of the software supply chain.
The Linux Foundation and OpenSSF called for $150 million over two years to address ten major open source security issues at the summit. include:
-
Security Education: Provides baseline secure software development education and certification to all.
-
Risk Assessment: Build a public, vendor-neutral, objective-metric-based risk assessment dashboard for the top 0,000 or more OSS components.
-
Digital Signatures: Accelerates the adoption of digital signatures in software releases.
-
Memory Safety: Eliminate the root cause of many vulnerabilities by replacing non-memory safe languages.
-
Incident response: The OpenSSF open source security incident response team is established, and security experts can step in to assist open source projects at critical moments in responding to vulnerabilities.
-
Better Scanning: Accelerates the discovery of new vulnerabilities by maintainers and experts with advanced security tools and expert guidance.
-
Code Audits: Annual third-party code reviews (and any necessary remediation efforts) of up to 200 of the most critical OSS components.
-
Data Sharing: Coordinate industry-wide data sharing to improve research that helps identify the most critical OSS components.
-
Software Bill of Materials (SBOM): Continuous improvement of ubiquitous SBOM tools and training to drive adoption.
-
Improved Supply Chain: Enhance the 10 most critical open source software build systems, package managers, and distribution systems with better supply chain security tools and best practices.
About OpenSSF
The Open Source Software Security Foundation (OpenSSF) was created in 2020 to bring together a broad range of community leaders to establish targeted programs and best practices to improve the security of open source software. In addition to Google, OpenSSF members include GitHub, Microsoft, Canonical, Cisco, Facebook, Intel, HP, Tencent, IBM, Red Hat, Samsung, and more.
Reference link:
https://venturebeat.com/2022/05/12/google-open-source-maintenance-crew/?fr=operanews
https://duo.com/decipher/new-google-team-to-help-critical-open-source-projects-improve-security
The text and pictures in this article are from InfoQ
This article is reprinted from https://www.techug.com/post/google-pays-money-and-people-so-it-is-urgent-to-protect-the-security-of-open-source.html
This site is for inclusion only, and the copyright belongs to the original author.