Google is upping its already significant investment in the security of open source software, creating a new team of developers dedicated to helping the maintainers of critical open source projects improve the security of their software. The new Open Source Maintenance Crew is an extension of the company’s ongoing effort to improve the security of the open source ecosystem and ties into the broader industry push to shore up the resilience of the projects that underpin much of the Internet.
Google announced the new team during a two-day meeting at the White House that included leaders from dozens of tech companies, the Open Source Security Foundation, and Biden administration officials. The gathering was a follow-up to a similar meeting in January in which the participants discussed the critical role that open source software plays in the industry and how best to address the challenges that maintainers face in trying to improve the security of their projects. One of the main issues is a lack of resources, both financial and human, to prevent, find, and fix systemic security weaknesses.
“Given the importance of digital infrastructure in our lives, it’s time to start thinking of it in the same way we do our physical infrastructure. Open source software is a connective tissue for much of the online world — it deserves the same focus and funding we give to our roads and bridges,” Kent Walker, president of global affairs and chief legal officer at Google, said after the January meeting.
The size of the new Open Source Maintenance Crew team is not being made public, but given the amount of resources at Google’s disposal, it will likely be substantial. How the team will choose which open source projects to work on will depend on a number of factors.
“Criticality of an open source project is difficult to define; what might be a critical dependency for one consumer of open source software may be entirely absent for another. However, arriving at a shared understanding and framework allows us to have productive conversations about our dependencies. Simply put, we define criticality to be the influence and importance of a project,” said Abhishek Aarya, principal engineer, Google Open Source Security Team.
On the financial side, Google last year committed $10 billion over the next five years to help improve cybersecurity through a variety of programs and initiatives, including $100 million to support organizations such as the OpenSSF. Google also has supported the Open Source Insights project, which provides a dependency graph for any open source package. Now, Google is releasing the data that’s used by the project as a public Google Cloud dataset.
“This project analyzes open source packages and provides detailed graphs of dependencies and their properties. With this information, developers can understand how their software is put together and the consequences to changes in their dependencies—which, as Log4j showed, can be severe when affected dependencies are many layers deep in the dependency graph,” Google said in a blog post Thursday.