Google just gave open source software a major boost with the launch of dedicated security and support teams.
The “Open Source Maintenance Crew” will be a new team of developers who will work on security issues related to open source projects, such as configuring updates.
The announcement was made during the White House Open Source Security Summit, where Google joined the Open Source Security Foundation (OpenSSF) and the Linux Foundation to discuss open source security issues.
Why the move?
In December 2021, White House National Security Adviser Jake Sullivan sent a letter to CEOs of US tech companies after the Log4Shell vulnerability was identified in Apache’s popular open-source Java logging framework, Log4j. .
The vulnerability has been used to install malware, for cryptomining, to add the devices to the Mirai and Muhstik botnets, to drop Cobalt Strike beacons, to seek information disclosure, or for lateral movement on the affected network according to a Microsoft blog post.
“This issue of securing open source software isn’t just about money, for many critical open source projects, it’s about how many people are involved and how much time they can commit to the work,” said said Google’s senior open source security engineer, Abishek Arya.
“Even with more funding, we need the ability to direct that money to the right goals. It’s a people problem as much as a money problem.
He added, “To address this challenge in a meaningful way, Google provided resources to the ‘Open Source Maintenance Team’ with the idea that an entity such as OpenSSF could administer the group and act as a conduit for critical projects.”
The move comes as open source adoption is gaining momentum and gaining support within the IT community, with use cases such as online collaboration fueling its popularity.
The recent 2022 State of Open Source Report, conducted by OpenLogic, surveyed 2,660 professionals and their organizations who use open source tools, and found that more than a quarter (27%) said they don’t have no reservations about these tools, while only 13.9% were concerned. about them being insecure and untested.