Google Sponsors OSTIF Security Reviews on Critical Open Source Software



The The Transform Technology Summits begin October 13 with Low-Code / No Code: Enabling Enterprise Agility. Register now!

Leave him OSS Company Newsletter guide your open The source journey! Register here.

Google is providing financial support to the Open Source Technology Improvement Fund (OSTIF), with the intention of sponsoring security reviews in a handful of critical open source software projects.

Open source software plays a vital role in the software supply chain and is integrated into many critical infrastructures and national security systems. However, the data suggests that “upstream” attacks against open source software have increased dramatically over the past year. Additionally, after countless organizations – from government agencies to hospitals and businesses – were affected by targeted software supply chain attacks, President Biden issued an executive order in May outlining measures to combat it. .

Open source

Today’s announcement comes less than a month after Google unveiled a $ 10 billion cybersecurity pledge to support President Biden’s plans to bolster U.S. cyber defenses. As part of its five-year investment, Google said it will help fund untrustworthy program extensions, secure the software supply chain, improve open source security, and more.

Specifically, Google has pledged $ 100 million to third-party foundations that support open source security.

The first fruits of this commitment will see Google fund OSTIF’s new Managed Audit Program (MAP), with a view to extending its existing security reviews to more projects. OSTIF, a non-profit organization founded in 2015 to support security audits in open source technologies, initially identified 25 projects for MAP, which it says identifies “the most critical digital infrastructure.” From there, he prioritized eight libraries, frameworks, and applications “that would benefit the most from security improvements and have the greatest impact on the open source ecosystem that depends on them.”

These eight projects are: Git, Lodash, Laravel, Slf4j, Jackson-core, Jackson-databind, Httpcomponents-core and Httpcomponents-client.

It should be noted that Google’s investment is not entirely altruistic, as its own software and infrastructure rely heavily on robust open source components – the internet giant has announced a slew of similar security initiatives this year. related to open source. In February, Google revealed that it was sponsoring the developers of the Linux kernel, for example, while a few months ago it introduced the Supply Chain Tiers for Software Artifacts (SLSA), which it presents. as an end-to-end framework to “ensure the integrity of software artifacts throughout the software supply chain.” The company also recently expanded its open source vulnerability database to cover Python, Rust, Go, and DWF.

Although OSTIF is focusing the MAP on only eight projects so far, it hopes to “significantly expand operations to support hundreds of projects in the coming years”.


VentureBeat’s mission is to be a digital public place for technical decision-makers to learn about transformative technology and conduct transactions. Our site provides essential information on data technologies and strategies to guide you in managing your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the topics that interest you
  • our newsletters
  • Closed thought leader content and discounted access to our popular events, such as Transform 2021: Learn more
  • networking features, and more

Become a member



Leave A Reply