Google announces partnership to review the security of open source software projects

Emma Woollacott September 17, 2021 at 12:54 UTC

Updated: September 21, 2021 at 11:52 UTC

Tech giant to support security reviews of eight projects, including Git, Lodash and Laravel

After pledging $ 100 million for open source security improvements last month, Google is sponsoring security reviews of eight projects in a partnership with the Open Source Technology Improvement Fund (OSTIF).

The OSTIF initially identified 25 potential projects, all qualified as critical, according to an announcement on the OSTIF website.

The shortlist is derived from the OpenSSF Criticality Score project, work by the Linux Foundation and Harvard LISH, and a University of Washington article titled “Underproduction: An Approach for Measuring Risk in Open Source Software”.

“Once we had built a list of projects that we wanted to review, we worked with our advisory board which helped narrow the much larger list to the 25 highest priority projects,” said the Executive Director of OSTIF. , Derek Zimmer. The daily sip.

Learn about the latest open source software news

“It was a complicated task, because if you ask someone in open source what the 25 most important open source projects are, you will often end up with completely different lists with little to no overlap, so do that in as a data-driven initiative has helped us get a foundation to build on and work towards consensus. “

Google’s support will go to reviewing eight libraries, frameworks and applications, including:

  • Git – de facto version control software used in modern DevOps
  • Lodash – a modern JavaScript utility library
  • Laravel – a PHP web application framework used by many modern full stack web applications, including integrations with Google Cloud
  • Slf4j – a logging facade for various Java logging frameworks
  • Jackson-core and Jackson-databind – a JSON for Java, a streaming API and additional shared components, as well as the base of the Jackson data binding package
  • Httpcomponents-core and Httpcomponents-client – responsible for the creation and maintenance of a low-level Java component toolset focused on HTTP and associated protocols

DO NOT MISS OWASP Shakes Up Web Application Threat Categories with Release of Draft Top 10

Tim Mackey, senior security strategist at Synopsys Cybersecurity Research Center, believes the projects were well chosen, with the Jackson-databind and Lodash component identified as a highly vulnerable component in the majority of applications audited in OSSRAs. 2021 and 2020 reports.

“In both cases, the vulnerabilities in question were related to the way these core components handle user data,” he said. The daily sip.

“Since consumers of open source components often assume that these components are released according to commercial software paradigms, any security breach in a fundamental component like those audited by OSTIF has the potential to impact many. applications and, by extension, end users. “

Success so far

OSTIF has had its successes before – for example, its end-to-end review of Unbound, an open source DNS resolver used to secure websites, led to the correction of one critical issue, five high severity issues, and five of medium severity.

“Software security is difficult, and there are a limited number of people who can browse an application’s source code and find problems,” Zimmer explains.

“To assume that major problems in the top 100,000 open source projects are found with reasonable frequency would be wrong, and automated testing cannot go any further.”

YOU CAN LIKE Supply chain attacks on open source ecosystem skyrocket 650% – report


Source link

Leave a reply