Google announced on Thursday that it is creating a new “Open Source Maintenance Crew” tasked with improving the security of critical open source projects.
The tech giant said it would be improving the OSS-Fuzz service for open source developers that has helped researchers spot more than 2,300 vulnerabilities in over 500 projects over the last year.
The announcements came after Google executives joined 80 other leaders from several other companies in a meeting led by the Open Source Security Foundation (OpenSSF) and the Linux Foundation about the progress made on open source software security initiatives in the months since they all were invited to a White House summit convened by the National Security Council.
The White House meeting was called in light of the grave concerns raised around prominent attacks and vulnerabilities in critical open source libraries like Codecov and Log4j.
OpenSSF was created in 2020 by big tech firms in order to help steer, guide, and share open-source security tools.
During a press conference after the meeting, OpenSSF general manager Brian Behlendorf said the organization has secured about $30 million in pledges from Amazon, Ericsson, Vmware, Intel, Microsoft and Google to help fund a range of efforts to secure open source projects.
Almost all major software packages include open source software, including software used by the national security community and critical infrastructure.
Behlendorf added that the group is looking to expand beyond the US and coordinate with international partners on open source security projects.
Several experts also spoke about initiatives centered around Software Bills of Materials — an effort the Cybersecurity and Infrastructure Security Agency is working on.
After the meeting on Thursday, Google executives explained that the Open Source Maintenance Crew will “work directly on improving the security of critical open source projects.”
“In addition to this initiative, we contributed ideas and participated in discussions on improving the security and trustworthiness of open source software,” Google said.
They noted that OpenSSF “has become a community town hall for driving security engineering efforts, discussions, and industry-wide collaboration.”
Two weeks ago, OpenSSF announced the creation of a tool that can be used to scan popular open-source repositories for malicious packages. Google touted another project – Open Source Insights – that analyzes open source packages and provides detailed graphs of dependencies and their properties.
“With this information, developers can understand how their software is put together and the consequences to changes in their dependencies—which, as Log4j showed, can be severe when affected dependencies are many layers deep in the dependency graph,” Google explained.