Security News > 2021 > February > How do you fix a problem like open-source security? Google has an idea, though constraints may not go down well

A team from Google has now posted at length about the issue in the hope of "Sparking industry-wide discussion and progress on the security of open source software."

The post - called "Know, Prevent, Fix" - is co-authored by Eric Brewer, VP of infrastructure at Google, distinguished engineer Rob Pike; principal software engineer Abhishek Arya; program manager, Open Source Security, Anne Bertucio; and product manager Kim Lewandowski.

The new post references some of the work of OpenSSF, in particular Security Scorecards, which is an automated tool to assess the security of a project according to various criteria such as use of code review, static analysis, tests, and the existence of a security policy.

Google suggested that "Open source software should be less risky on the security front, as all of the code and dependencies are in the open and available for inspection and verification," but noted that this only applies if people are "Actually looking."

The Google team acknowledged that its goals for critical software are "More onerous and therefore will meet some resistance, but we believe the extra constraints are fundamental for security."

The question is not only how use of open source affects security, but how the requirements of security will impact open source.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/02/04/google_open_source_security/