Google Is Backing Security Reviews Of These Key Open Source Projects

Google recently pledged $100 million to groups that manage open source security priorities and help fix vulnerabilities, and it has now detailed eight of the projects it has chosen to support. 

Just last month, the Linux Foundation announced it would directly fund people to work on the security of open-source projects. It’s got support from Google, Microsoft, the Open Source Security Foundation and the Linux Foundation Public Health foundation. The Linux Foundation coordinates fixes when bugs are found.  

The foundation and peers are looking for previously unknown security issues via security audits that will be undertaken by the Open Source Technology Improvement Fund (OSTIF). These projects include two Linux kernel security audits.

Now Google has thrown its weight behind a chunk of OSTIF’s immediate audit plans. 

“Google’s support will allow OSTIF to launch the Managed Audit Program (MAP), which will expand in-depth security reviews to critical projects vital to the open source ecosystem,” said Kaylin Trychon, a security comms manager on the Google Open Source Security team.

Probably the biggest of the eight audit projects Google is funding is Git, the “de facto” version control software created by Linux kernel creator Linus Torvalds and which forms the basis of platforms like GitHub and GitLab.

“Git is the second-most critical application in C and the 10th-most critical application across all platforms,” OSTIF notes, adding that it is “undoubtedly one of the most critical pieces of open-source software in the world.”   

The rest are important JavaScript and Java tools and frameworks for web development, including: Lodash, a modern JavaScript utility library for web development that’s used in Chrome and other browsers; Laravel, a PHP web application framework; SLF4J or Simple Logging Facade for Java; the Jackson-core JSON for Java and the Jackson-databind package; and Httpcomponents-core and Httpcomponents-client. 

“The eight libraries, frameworks and apps that were selected for this round are those that would benefit the most from security improvements and make the largest impact on the open-source ecosystem that relies on them,” explained Trychon. 

The contribution from Google will help OSTIF find and fix bugs in key open source projects. 

OSTIF has identified a total of 25 MAP projects targeted for funding, including the eight that Google has funded to date. Other projects with funding pending support include well-known systems and tools developers use, such as the Drupal and Joomla web content management systems, webpack, reprepro, cephs, Facebook-maintained React Native, salt, Gatsby, Google-maintained Angular, Red Hat’s Ansible, and Google’s Guava Java framework.    

After a meeting between US president Joe Biden and top US tech companies last month, Google announced a $10 billion commitment to improving expanding zero-trust programs, helping to secure software supply chains, and enhancing open source security. 

READ MORE HERE