• Google is also focusing on improving the OSS-Fuzz service for open source developers.
  • Google’s constant focus on supporting the open source community holds the potential to reduce vulnerabilities that put organizations at risk and increases the overall security of the software supply chain.

Google announced the introduction of a new ‘Open Source Maintenance Crew’ with a vision to improve the security of critical open source projects.

The announcement was made at the White Home Open Supply Safety Summit, where Google joined the Open Supply Safety Basis (OpenSSF), Linux Basis, and other trade leaders to review open-source security initiatives.

The maintenance crew includes a team of developers responsible for ensuring the security of upstream open source projects, from tightening configurations to deploying updates.

Google’s constant focus on supporting the open source community holds the potential to reduce vulnerabilities that put organizations at risk and increases the overall security of the software supply chain.

The tech giant also mentioned that it would be working on improving the OSS-Fuzz service for open source developers, which has helped researchers identify more than 2,300 vulnerabilities in over 500 projects over the last year.

The announcements were made after Google executives joined 80 other leaders from different companies in a meeting conducted by the Open Source Security Foundation (OpenSSF) and the Linux Foundation. The leaders came together to review the progress made on open source software security initiatives in the months since they all were invited to a White House summit convened by the National Security Council.

The White House meeting was convened in light of the grave concerns highlighted around prominent attacks and vulnerabilities in critical open source libraries like Codecov and Log4j.

Established in 2020, OpenSSF was built by big tech firms with a vision to help steer, guide, and share open-source security tools.

Other OpenSSF members include GitHub, Microsoft, Canonical, Cisco, Facebook, Intel, HP, Tencent, IBM, Red Hat, Samsung, etc.

Open-source security initiatives have seen increased growth because the open-source services market is witnessing growth. Researchers predict that the market will scale to a value of USD 50 billion by 2026, growing at a compound annual growth rate of 18.2%.

In a press conference held after the meeting, OpenSSF general manager Brian Behlendorf said the organization had secured about USD30 million in pledges from Amazon, Ericsson, Vmware, Intel, Microsoft, and Google to help fund a range of efforts to ensure open source projects.

Open source software is included in almost all major software packages, including the software used by the national security community and critical infrastructure.

Behlendorf mentioned that the group has further plans to expand beyond the US and coordinate with international partners to create more open source security projects.

Other experts expressed their view that the initiatives focused on Software Bills of Materials — an effort the Cybersecurity and Infrastructure Security Agency is working on.

Immediately after the meeting, Google executives expressed that the Open Source Maintenance Crew will “work directly on improving the security of critical open source projects.”

“In addition to this initiative, we contributed ideas and participated in discussions on improving the security and trustworthiness of open source software,” Google said.

They noted that OpenSSF “has become a community town hall for driving security engineering efforts, discussions, and industry-wide collaboration.”

The companies have created a new vulnerability format developed and adopted by several open source ecosystems, including Python, Rust, Go , and others, in the last few months.

Last month, OpenSSF also announced the creation of a tool that can be used to scan popular open-source repositories for malicious packages. Google touted another project – Open Source Insights – that analyzes open source packages and provides detailed graphs of dependencies and their properties.

“With this information, developers can understand how their software is put together and the consequences to changes in their dependencies—which, as Log4j showed, can be severe when affected dependencies are many layers deep in the dependency graph,” Google explained.

During the press conference after the meeting, Behlendorf pointed to a report compiled by researchers from the Harvard Laboratory for Innovation Science that catalogued free and open source software used in production applications at thousands of companies.

The report highlighted potential areas of concern and helped security researchers find potential problem spots. But he noted that vulnerabilities are found every day, and it is nearly impossible to predict where the next major gaps will be.

“The only software that does not have any bugs in it is software with no users,” Behlendorf said.

“So what’s important is, how do you find them before the bad actors? How do you get them fixed as quickly as possible? And then how do you get that fix permeated out there into the rest of the world?”