Google launches ‘open-source maintenance crew’

VentureBeat Homepage

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

Today, at the White House Open Source Security Summit, Google joined the Open Source Security Foundation (OpenSSF), Linux Foundation and other industry leaders to discuss open-source security initiatives and announced the launch of an “Open Source Maintenance Crew.” 
The maintenance crew is a team of developers who will work to ensure the security of upstream open source projects from tightening configurations to deploying updates. 
Google’s greater focus on supporting the open-source community, has the potential to mitigate vulnerabilities that put enterprises at risk and increase the overall security of the software supply chain. 
The announcement comes as concerns over open-source vulnerabilities have increased, particularly following the spate of Log4j breaches and more broadly as supply chain attacks on open-source software components grew 650% in 2021. 
It also comes as former Google engineers now at Chainguard called on the software industry to standardize open-source projects on Sigstore with a goal to create a universal standard for signing, verifying and protecting software, just weeks after launching a new software supply chain security tool for Kubernetes.
Private companies like Google and Chainguard supporting underfunded and under resourced open-source projects is much needed to deliver tangible security improvements. 
“This problem of securing open-source software is not just about money, for many critical open-source projects it is about the amount of people involved and how much time they can spend on the work,” said Principal Engineer of Open Source Security at Google, Abhishek Arya. 
“Even with more funding, we need capacity to direct that money to the right goals. This is a people problem as well as a money problem. To meaningfully address this challenge, Google resourced the “Open Source Maintenance Crew” with the idea that an entity such as OpenSSF could administer the group and server as a matchmaker for critical projects,” Arya said. 
In practice, Arya says the maintenance crew will be tasked with tightening security configurations. This may include underpinned dependencies, adding automated dependency updates to protect against common supply chain attacks and augmenting the capabilities of the OpenSSF Security Incident Response team to provide support in crisis incidents. 
One of the key reasons for the growth in open-source security initiatives is that the open-source services market is in a state of growth. Researchers anticipate the market will reach a value of $50 billion by 2026, growing at a compound annual growth rate of 18.2%. 
In the past few weeks alone, many private companies have raised significant funding for tools to secure the software supply chain. 
Just earlier this week, Socket announced it has raised $4.6 million in funding for a tool to audit open-source code, find malicious dependencies and secure the JavaScript supply chain. 
Likewise, last week software supply chain security provider, Phylum announced it had raised $15 million in Series A funding and offers a solution that provides risk scores for open-source software packages. 
From across the tech industry, there is a concerted effort among companies like Google, Chainguard, Socket and Phylum to make sure that enterprises can trust the open-source components they use throughout the supply chain.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.
Hear from senior executives at some of the world’s leading enterprises about their experience with applied Data & AI and the strategies they’ve adopted for success.
Join AI and data leaders for insightful talks and exciting networking opportunities in-person July 19 and virtually July 20-28.
© 2022 VentureBeat. All rights reserved.
We may collect cookies and other personal information from your interaction with our website. For more information on the categories of personal information we collect and the purposes we use them for, please view our Notice at Collection.


Leave a Reply

Your email address will not be published.

© 2022 AI Caosuo - Proudly powered by theme Octo