Security News > 2021 > February > How do you fix a problem like open-source security? Google has an idea, though constraints may not go down well
A team from Google has now posted at length about the issue in the hope of "Sparking industry-wide discussion and progress on the security of open source software."
The post - called "Know, Prevent, Fix" - is co-authored by Eric Brewer, VP of infrastructure at Google, distinguished engineer Rob Pike; principal software engineer Abhishek Arya; program manager, Open Source Security, Anne Bertucio; and product manager Kim Lewandowski.
The new post references some of the work of OpenSSF, in particular Security Scorecards, which is an automated tool to assess the security of a project according to various criteria such as use of code review, static analysis, tests, and the existence of a security policy.
Google suggested that "Open source software should be less risky on the security front, as all of the code and dependencies are in the open and available for inspection and verification," but noted that this only applies if people are "Actually looking."
The Google team acknowledged that its goals for critical software are "More onerous and therefore will meet some resistance, but we believe the extra constraints are fundamental for security."
The question is not only how use of open source affects security, but how the requirements of security will impact open source.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/02/04/google_open_source_security/
Related news
- Open source maintainers: Key to software health and security (source)
- Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks (source)
- Google claims Big Sleep 'first' AI to spot freshly committed security bug that fuzzing missed (source)
- Osmedeus: Open-source workflow engine for offensive security (source)
- Am I Isolated: Open-source container security benchmark (source)
- ScubaGear: Open-source tool to assess Microsoft 365 configurations for security gaps (source)
- Debunking myths about open-source security (source)
- AxoSyslog: Open-source scalable security data processor (source)
- Google's AI-Powered OSS-Fuzz Tool Finds 26 Vulnerabilities in Open-Source Projects (source)
- Unlocking Google Workspace Security: Are You Doing Enough to Protect Your Data? (source)