Google has created a new “Open Source Maintenance Crew” who will help upstream maintainers of critical open-source projects to handle bugs and patching processes.
The new team is part of Google’s contribution to the White House’s push to improve cybersecurity in open source and protect software supply chains following the White House’s January summit with major tech vendors, including Microsoft, Google, IBM and Amazon Web Services.
Back then, President Joe Biden signed an executive order that requires the government to provide a Software Bill of Materials (SBOM) that details supply chain relationships of components used in building software.
SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breaches
Google says the new maintenance crew consists of a dedicated team of Google engineers who will work with upstream maintainers of critical open-source projects.
“One issue frequently cited by open source maintainers is limited time. Since under-maintained, critical open source components are a security risk, Google is starting a new Open Source Maintenance Crew, a dedicated staff of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects,” said Google’s Eric Brewer and Abhishek Arya in a blogpost.
Google announced the open-source security team at last week’s “Open Source Software Security Summit II”, hosted at the White House and organized by The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) to mark one year since the cybersecurity executive order, which demanded higher security standards based on the NIST’s Secure Software Development Framework (SSDF).
The organizations outlined $150 million in funding required from the private sector and a 10-point plan to improve open source by tackling risk assessments, digital signatures, shifting coding from C and C++ to to memory-safe languages like Rust, Go and Java, incident response, code scanning, and code audits.
Google’s work to improve open-source security and reduce supply chain risks has previously included $100 million to support groups like OpenSSF to fix security bugs in open source.
Google last year also published the “Know, Prevent, Fix” framework and is working to improve the accessibility of security tools through initiatives like Open Source Vulnerabilities (OSV) database and data format. The format has been adopted by Python, Rust, and Go ecosystems.
The Python Software Foundation, for example, created the Python Packaging Advisory Database to centralize advisories for Python packages published on Pypi repository. The Rust Foundation has a similar database for advisories concerning Rust Crates packages. Other databases relying on OSV include vulnerability databases, such as GitHub’s Security Advisories (GHSA) and the Cloud Security Alliance’s Global Security Database.
“The OSV project showed that connecting a CVE to the vulnerability patch development workflow can be difficult without precise vulnerability metadata,” said Google’s Brewer and Arya.
They want to see OSV findings distributed to developers through code editors and at the point where developers might deploy vulnerable workloads.
On the ‘Know’ side, Google highlights the Security Scorecards project that gives developers insights about dependencies they might use on a project. Now, there are scorecard scans of one million projects. The Kubernetes project has also started using Sigstore to sign and verify its releases, and makes this part of its Supply Chain Levels for Software Artifacts, or SLSA, compliance. The OpenSFF’s SLSA framework is based on Google’s internal tools to check code integrity.
“An SBOM created using SLSA provenance and metadata is more complete and addresses both source code and build threat vectors,” says Google.
SEE: Rocky Linux developer lands $26m funding for enterprise open-source push
Other key projects include Google’s OSS-Fuzz for fuzzing for open-source software, which has helped developers fix 2,300 flaws across over 500 projects during the past year,
The ‘Fix’ component was aimed at removing vulnerabilities and improving notifications to help remediate flaws in the most widely used versions of an affected project rather than just the most recent versions.
Part of this is the OpenSSF’s Alpha Omega project, which Google and Microsoft gave an initial $5 million to improve supply chain security. The project awarded the widely used Node.js server-side JavaScript runtime project $300,000 to focus on fixing vulnerabilities in 2022.
Another is the Linux Foundation’s Secure Open Source (SOS) project, which Google backed with $1 million in funding. SOS offers up to $10,000 in rewards to developers for hardening software, for example. Google also gave $300,000 to the Internet Security Research Group to improve memory safety by bringing Rust into the Linux kernel. Linux kernel developers have worked on making Rust the second language to C in the kernel for the past two years.