Google launches ‘open-source maintenance crew’
Today, at the White House Open-Source Security Summit, Google joined the Open-Source Security Foundation (OpenSSF), Linux Foundation and other industry leaders to discuss open-source security initiatives and announced the launch of an “Open-Source Maintenance Crew.”
The maintenance crew is a team of developers who will work to ensure the security of upstream open-source projects from tightening configurations to deploying updates.
Google’s greater focus on supporting the open-source community, has the potential to mitigate vulnerabilities that put enterprises at risk and increase the overall security of the software supply chain.
Google sets its sights on securing the software supply chain
The announcement comes as concerns over open-source vulnerabilities have increased, particularly following the spate of Log4j breaches and more broadly as supply chain attacks on open-source software components grew 650% in 2021.
It also comes as former Google engineers now at Chainguard called on the software industry to standardize open-source projects on Sigstore with a goal to create a universal standard for signing, verifying, and protecting software, just weeks after launching a new software supply chain security tool for Kubernetes.
Private companies like Google and Chainguard supporting underfunded and under resourced open-source projects is much needed to deliver tangible security improvements.
“This problem of securing open-source software is not just about money, for many critical open-source projects it is about the amount of people involved and how much time they can spend on the work,”
“Even with more funding, we need capacity to direct that money to the right goals. This is a people problem as well as a money problem. To meaningfully address this challenge, Google resourced the “Open-Source Maintenance Crew” with the idea that an entity such as OpenSSF could administer the group and server as a matchmaker for critical projects.” Abhishek Arya Principal Engineer of Open-Source Security at Google
In practice, Arya says the maintenance crew will be tasked with tightening security configurations. This may include underpinned dependencies, adding automated dependency updates to protect against common supply chain attacks and augmenting the capabilities of the OpenSSF Security Incident Response team to provide support in crisis incidents.
A look at the growth of the open-source services market
One of the key reasons for the growth in open-source security initiatives is that the open-source services market is in a state of growth. Researchers anticipate the market will reach a value of $50 billion by 2026, growing at a compound annual growth rate of 18.2%.
In the past few weeks alone, many private companies have raised significant funding for tools to secure the software supply chain.
Just earlier this week, Socket announced it has raised $4.6 million in funding for a tool to audit open-source code, find malicious dependencies and secure the JavaScript supply chain.
Likewise, last week software supply chain security provider, Phylum announced it had raised $15 million in Series A funding and offers a solution that provides risk scores for open-source software packages.
From across the tech industry, there is a concerted effort among companies like Google, Chainguard, Socket and Phylum to make sure that enterprises can trust the open-source components they use throughout the supply chain.