Google to create security team for open source projects

Google announced on Thursday that it is creating a new “Open Source Maintenance Crew” tasked with improving the security of critical open source projects. 

Google also unveiled two other projects — Google Cloud Dataset from Open Source Insights — designed to help developers better understand the structure and security of the software they use.

“This dataset provides access to critical software supply chain information for developers, maintainers and consumers of open-source software,” Google explained in a blog post. 

The tech giant said it would be improving the OSS-Fuzz service for open source developers that has helped researchers spot more than 2,300 vulnerabilities in over 500 projects over the last year. 

The announcements came after Google executives joined 80 other leaders from several other companies in a meeting led by the Open Source Security Foundation (OpenSSF) and the Linux Foundation about the progress made on open source software security initiatives in the months since they all were invited to a White House summit convened by the National Security Council. 

The White House meeting was called in light of the grave concerns raised around prominent attacks and vulnerabilities in critical open source libraries like Codecov and Log4j. 

OpenSSF was created in 2020 by big tech firms in order to help steer, guide, and share open-source security tools.

Besides Google, the OpenSSF member list also includes GitHub, Microsoft, Canonical, Cisco, Facebook, Intel, HP, Tencent, IBM, Red Hat, Samsung and many more.

During a press conference after the meeting, OpenSSF general manager Brian Behlendorf said the organization has secured about $30 million in pledges from Amazon, Ericsson, Vmware, Intel, Microsoft and Google to help fund a range of efforts to secure open source projects. 

Almost all major software packages include open source software, including software used by the national security community and critical infrastructure. 

Behlendorf added that the group is looking to expand beyond the US and coordinate with international partners on open source security projects.

Several experts also spoke about initiatives centered around Software Bills of Materials -- an effort the Cybersecurity and Infrastructure Security Agency is working on.

After the meeting on Thursday, Google executives explained that the Open Source Maintenance Crew will “work directly on improving the security of critical open source projects.” 

“In addition to this initiative, we contributed ideas and participated in discussions on improving the security and trustworthiness of open source software,” Google said. 

They noted that OpenSSF “has become a community town hall for driving security engineering efforts, discussions, and industry-wide collaboration.”

Over the last few months, the companies created a new vulnerability format developed and adopted by several open source ecosystems including Python, Rust, Go and others. 

Two weeks ago, OpenSSF announced the creation of a tool that can be used to scan popular open-source repositories for malicious packages. Google touted another project – Open Source Insights – that analyzes open source packages and provides detailed graphs of dependencies and their properties.

“With this information, developers can understand how their software is put together and the consequences to changes in their dependencies—which, as Log4j showed, can be severe when affected dependencies are many layers deep in the dependency graph,” Google explained. 

During the press conference after the meeting, Behlendorf pointed to a report compiled with researchers from with the Harvard Laboratory for Innovation Science that catalogued free and open source software used in production applications at thousands of companies.

The report highlighted potential areas of concern and helped security researchers find potential problem spots. But he noted that vulnerabilities are found every day it is nearly impossible to predict where the next major gaps will be.

"The only software that does not have any bugs in it is software with no users," Behlendorf said.

"So what's important is, how do you find them before the bad actors? How do you get them fixed as quickly as possible? And then how do you get that fix permeated out there into the rest of the world?"