Google sponsors OSTIF security reviews of critical open source software

Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

Google is giving its financial backing to the Open Source Technology Improvement Fund (OSTIF), with plans to sponsor security reviews in a handful of critical open source software projects.

Open source software plays an integral part in the software supply chain, and it is incorporated into many critical infrastructure and national security systems. However, data suggests that “upstream” attacks on open source software has increased significantly in the past year. Moreover, after countless organizations — from government agencies to hospitals and corporations — were hit by targeted software supply chain attacks, President Biden issued an executive order back in May outlining measures to combat this.

Open sourced

Today’s announcement comes less than a month after Google unveiled a $10 billion cybersecurity commitment to support President Biden’s plans to bolster U.S. cyber defenses. As part of its five year investment, Google said it would help fund zero-trust program expansions, secure the software supply chain, improve open-source security, and more.

Specifically, Google pledged $100 million to third-party foundations that support open source security.

The first fruits of this commitment will see Google fund OSTIF’s new managed audit program (MAP), with a view toward expanding its existing security reviews to more projects. OSTIF, a non-profit organization founded back in 2015 to support security audits in open source technologies, initially identified 25 projects for MAP, which it says identifies “the most critical digital infrastructure.” From there, they prioritized eight libraries, frameworks, and apps “that would benefit the most from security improvements and make the largest impact on the open-source ecosystem that relies on them.”

These eight projects are: Git; Lodash; Laravel; Slf4j; Jackson-core and Jackson-databind; and Httpcomponents-core and Httpcomponents-client.

It’s worth noting that Google’s investment isn’t an entirely altruistic endeavor, as its own software and infrastructure relies heavily on robust open source components — the internet giant has announced a slew of similar open source-related security initiatives previously this year. Back in February, Google revealed it was sponsoring Linux kernel developers, for example, while a few months back it introduced Supply Chain Levels for Software Artifacts (SLSA), which it touts as an end-to-end framework for “ensuring the integrity of software artifacts throughout the software supply chain. The company also recently extended its open source vulnerabilities database to cover Python, Rust, Go, and DWF.

Although OSTIF is focusing MAP on just eight projects for now, it said that it hopes to “significantly grow operations to support hundreds of projects in the coming few years.”