Google has just given open source software a major boost with the launch of dedicated security and support teams.
The “Open Source Maintenance Crew” will be new team of developers will work on security issues related to open source projects, such as configuring updates.
The announcement came at the White House Open Source Security Summit, where Google joined the Open Source Security Foundation (OpenSSF) and the Linux Foundation to discuss issues surrounding open source security.
Why the move?
Back in December 2021, White House national security adviser Jake Sullivan sent a letter to the CEOs of US tech companies after the Log4Shell vulnerability in Apache's popular open source java logging framework Log4j was identified.
The vulnerability was used to install malware, for cryptomining, to add the devices to the Mirai and Muhstik botnets, to drop Cobalt Strike beacons, to scan for information disclosure, or for lateral movement throughout the affected network according to a blog post (opens in new tab) by Microsoft.
“This problem of securing open-source software is not just about money, for many critical open-source projects it is about the amount of people involved and how much time they can spend on the work,” said Principal Engineer of Open Source Security at Google, Abhishek Arya.
“Even with more funding, we need capacity to direct that money to the right goals. This is a people problem as well as a money problem.”
He added: “To meaningfully address this challenge, Google resourced the 'Open Source Maintenance Crew' with the idea that an entity such as OpenSSF could administer the group and serve as a matchmaker for critical projects.”
The move comes as open source adoption is building momentum and support within the IT community, with use cases like online collaboration fuelling its popularity.
The recent 2022 State of Open Source Report, conducted by OpenLogic, surveyed 2,660 professionals and their organizations which use open source tools, finding over a quarter (27%) said they had no reservations at all about such tools, while only 13.9% were concerned about them being unsecured and untested.