Google just gave open source software a big boost with the launch of dedicated security and support teams.
The "Open Source Maintenance Team" will be a new team of developers that will work on security issues related to open source projects, such as configuring updates.
The announcement was made during the White House Open Source Security Summit, where Google joined the Open Source Security Foundation (OpenSSF) and the Linux Foundation to discuss open source security issues.
Why the move?
In December 2021, White House National Security Adviser Jake Sullivan sent a letter to CEOs of US tech companies after the Log4Shell vulnerability was identified in the popular Java logging framework. Apache open source, Log4j.
The vulnerability has been used to install malware, cryptomining, add the devices to the Mirai and Muhstik botnets, drop Cobalt Strike beacons, seek information disclosure, or for lateral movement on the affected network according to a Microsoft blog post.
"This issue of securing open source software is not just about money, for many critical open source projects, it's about how many people are involved and how much time they can spend on the job," said Abishek, senior code security engineer. Google open. Aria.
“Even with more funding, we need the ability to direct that money to the right targets. It is a people problem as much as a money problem.
He added: "To meaningfully address this challenge, Google provided resources to the 'Open Source Maintenance Team' with the idea that an entity like OpenSSF could manage the group and act as a conduit for critical projects."
The move comes as open source adoption is gaining momentum and gaining support within the IT community, with use cases such as online collaboration fueling its popularity.
The recent 2022 State of Open Source Report, conducted by OpenLogic, surveyed 2660 professionals and their organizations using open source tools and found that more than a quarter (27%) said they have no reservations about these tools, while only 13,9% were concerned. about them being insecure and untested.