We look forward to presenting Transform 2022 in person again on July 19th and virtually from July 20th to 28th. Join us for insightful conversations and exciting networking opportunities. Register today!
Today, at the White House Open Source Security Summit, Google joined the Open Source Security Foundation (OpenSSF), the Linux Foundation and other industry leaders to discuss open source security initiatives and launched an “Open Source Maintenance Crew” announced.
The maintenance crew is a team of developers working to ensure the security of upstream open source projects, from tightening configurations to deploying updates.
Google’s increased focus on supporting the open source community has the potential to mitigate vulnerabilities that put businesses at risk and increase the overall security of the software supply chain.
Google is focused on securing the software supply chain
The announcement comes as concerns about open source vulnerabilities have increased, particularly following the spate of Log4j breaches, and more generally as supply chain attacks on open source software components increased by 650% in 2021.
It also comes as Chainguard’s former Google engineers urged the software industry to standardize open-source projects on Sigstore to create a universal standard for signing, verifying, and protecting software, just weeks after the launch of a new software Supply chain security tools for Kubernetes.
Private companies like Google and Chainguard supporting underfunded and underfunded open source projects are badly needed to make tangible security improvements.
“This problem of securing open source software isn’t just about money, with many critical open source projects it’s about the number of people involved and how much time they can devote to the work,” said Principal Engineer of Open Source Security at Google. Abhishek Arya.
“Even with more funds, we need capacity to channel this money to the right goals. This is both a people problem and a money problem. To address this challenge in a meaningful way, Google endowed the Open Source Maintenance Crew with the idea that an entity like OpenSSF could manage the group and server as a matchmaker for critical projects,” Arya said.
In practice, Arya says, the maintenance team will be tasked with tightening security configurations like underpinned dependencies, adding automatic dependency updates to protect against common supply chain attacks, and expanding the capabilities of the OpenSSF Security Incident Response team to provide support during crisis incidents .
A look at the growth of the open source services market
One of the main reasons for the growth of open source security initiatives is that the market for open source services is at a growth stage, with researchers projecting the market to reach $50 billion by 2026 and with will grow at a compound annual growth rate of 18.2%.
In the last few weeks alone, a number of private companies have raised significant funds for tools to secure the software supply chain.
Likewise, Phylum, a software supply chain security provider, announced last week that it has raised $15 million in Series A funding and is offering a solution that provides risk assessments for open source software packages.
Across the technology industry, there is a concerted effort by companies like Google, Chainguard, Socket and Phylum to ensure companies can trust the open source components they use throughout the supply chain.
VentureBeat’s mission is intended to be a digital marketplace for technical decision makers to acquire knowledge about transformative enterprise technology and to conduct transactions. Learn more about membership.