Google is increasing its already large investment in open source software security by forming a new team of developers committed to assisting the maintainers of major open source projects in improving their product’s security. The new Open Source Maintenance Crew is part of the company’s ongoing commitment to strengthen the security of the open source ecosystem, as well as the broader industry push to ensure the long-term viability of the projects that support much of the Internet.
During a two-day meeting at the White House with leaders from dozens of Internet businesses, the Open Source Security Foundation, and Biden administration officials, Google unveiled the new team. The conference was a follow-up to one held in January, during which attendees discussed the vital role of open source software in the industry and how to best handle the problems that maintainers have in attempting to improve the security of their projects. One of the major concerns is a lack of financial and human resources to prevent, detect, and correct systemic security flaws.
“Given the importance of digital infrastructure in our lives, it’s time to start thinking of it in the same way we do our physical infrastructure. Open source software is a connective tissue for much of the online world — it deserves the same focus and funding we give to our roads and bridges,” Kent Walker, president of global affairs and chief legal officer at Google, said after the January meeting.
The size of the new Open Source Maintenance Crew team has not been revealed, but given Google’s vast resources, it is expected to be large. A lot of criteria will influence how the team chooses which open source projects to work on.
Google pledged $10 billion over the next five years to help strengthen cybersecurity through a range of programmes and projects, including $100 million to support organisations like the OpenSSF. The Open Source Insights project, which provides a dependency graph for any open source product, has also received Google’s support. Google is now making the project’s data available as a public Google Cloud dataset.
“This project analyzes open source packages and provides detailed graphs of dependencies and their properties. With this information, developers can understand how their software is put together and the consequences to changes in their dependencies—which, as Log4j showed, can be severe when affected dependencies are many layers deep in the dependency graph,” Google said in a blog post Thursday.