Google: “Open Source Maintenance Crew” is coming

Google has created a new “Open Source Maintenance Crew” to help upstream maintainers of critical open source projects handle bugs and patching processes.

Following the January Summit of the White House with major technology vendors such as Microsoft, Google, IBM and Amazon Web Services, the new team will improve open source cybersecurity and protect the software supply chain. Is part of Google’s contribution to the promotion of.

At that time, President Joe Biden signed a presidential order requiring the government to provide a Software BOM (SBOM) detailing the supply chain relationships of the components used to build software.

look: Cloud Computing Security: The new guidance aims to keep your data safe from cyberattacks and breaches.

According to Google, the new maintenance crew consists of a dedicated team of Google engineers working with upstream maintainers of key open source projects.

“One of the issues that open source maintainers often cite is limited time. Google is launching a new open source maintenance crew because underserved and important open source components are a security risk. Is a dedicated staff of Google engineers working closely with upstream maintainers. About improving the security of important open source projects. ” Google’s Eric Brewer and Abishek Aya said in a blog post..

Google announced the open source security team at the Open Source Software Security Summit II last week. Held at the White House, hosted by the Linux Foundation and the OpenSource Software Security Foundation (OpenSSF), it has been a year since the cybersecurity enforcement order. Demanded higher security standards based on NIST Secure Software Development Framework (SSDF)..

The organization has $ 150 million in funding needed from the private sector 10-point plan Improve open source by migrating risk assessment, digital signatures, and coding from C and C ++ to memory-safe languages ​​such as Rust, Go, and Java, and working on incident response, code scanning, and code auditing.

Google’s efforts to improve open source security and mitigate supply chain risks so far include $ 100 million to support groups such as OpenSSF to fix open source security bugs. It was.

Google said last year as wellKnow, prevent, fix“It’s a framework that works to improve the accessibility of security tools through initiatives such as open source object-subject-verb (OSV) databases and data formats. Python, rustWhen go Ecosystem.

For example, the Python Software Foundation has created the Python Packaging Advisory Database to centralize the advisory for Python packages published in the Pypi repository. Rust Foundation Similar database For advisory on the RustCrates package. Other OSV-dependent databases include vulnerability databases such as: Security Advisory on GitHub (GHSA) And the Cloud Security Alliance Global security database..

“The OSV project has shown that connecting CVE to a vulnerability patch development workflow can be difficult without accurate vulnerability metadata,” said Google’s Brewer and Arya. ..

They want to see when OSV findings are distributed to developers via a code editor, where they can deploy vulnerable workloads.

On the “know” side, Google emphasizes security scorecard projects that give developers insight into the dependencies they might use in their projects. Currently, there are scorecard scans for 1 million projects. The Kubernetes project will also begin using Sigstore to sign and validate releases, making this part part of the supply chain level of software artifacts. SLSA,compliance. OpenSFF’s SLSA framework is based on Google’s internal tools for checking code integrity.

SBOM created using SLSA history and metadata It’s more complete and addresses both source code and build threat vectors, “Google said.

look: Rocky Linux developers raise $ 26 million for enterprise open source push

Other important projects include Google’s OSS-Fuzz for fuzzing open source software. This has helped developers fix 2,300 flaws in over 500 projects over the past year.

The “Fix” component was intended to remove vulnerabilities, improve notifications, and fix defects in the latest version as well as the most widely used versions of affected projects.

Part of that is the OpenSSF Alpha Omega project. This is what Google and Microsoft have offered the first $ 5 million to improve supply chain security.project Awarded $ 300,000 for the widely used Node.js server-side JavaScript runtime project Focus on fixing the vulnerability in 2022.

The other is the Linux Foundation’s Secure Open Source (SOS) project, funded by Google with $ 1 million. SOS, for example, rewards developers up to $ 10,000 by enhancing their software. Google also donated $ 300,000 to the Internet Security Research Group, Rush into the Linux kernel.. Linux kernel developers have been working on making Rust the second language of C in the kernel for the past two years.

Source link