Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Google announces partnership to review security of open source software projects

After pledging $100 million towards improving open source security last month, Google is sponsoring security reviews of eight projects through a partnership with the Open Source Technology Improvement Fund (OSTIF).

OSTIF has initially identified 25 potential projects, all of which are dubbed critical, according to an announcement on the OSTIF website.

The shortlist is derived from the OpenSSF Criticality Score Project, work by the Linux Foundation and Harvard LISH, and a paper from the University of Washington titled ‘Underproduction: An Approach for Measuring Risk in Open Source Software’.

“Once we had constructed a list of projects that we wanted to review, we worked with our advisory council who helped narrow the much larger list down to the 25 highest-priority projects,” OSTIF executive director Derek Zimmer tells The Daily Swig.

“This was a complicated task, because if you ask anyone in open source what the 25 most important open source projects are, you’ll often get completely different lists with little to no overlap, so doing this as a data-driven initiative helped us to get some bedrock to build upon and work toward a consensus.”

Google’s support will go towards reviewing eight libraries, frameworks, and apps, including:

  • Git – de facto version control software used in modern DevOps
  • Lodash – a modern JavaScript utility library
  • Laravel – a PHP web application framework used by many modern, full-stack web applications, including integrations with Google Cloud
  • Slf4j – a logging facade for various Java logging frameworks
  • Jackson-core and Jackson-databind – a JSON for Java, streaming API, and extra shared components, and the base for the Jackson data-bind package
  • Httpcomponents-core and Httpcomponents-client – responsible for creating and maintaining a toolset of low-level Java components focused on HTTP and associated protocols

Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, believes the projects have been well chosen, with both the Jackson-databind component and Lodash having been identified as a highly vulnerable component in a majority of audited applications in the 2021 and 2020 OSSRA reports.

“In both cases, the vulnerabilities in question related to how those core components process user data,” he tells The Daily Swig.

“Given how consumers of open source components often assume those components are released following commercial software paradigms, any security gaps in a foundational component like those being audited by OSTIF have the potential to impact a large number of applications and, by extension, end users.”

Success so far

OSTIF has already had its successes – for example, its end-to-end review of Unbound, an open source DNS resolver used to secure websites, led to the patching of one critical, five high, and five medium severity issues.

“Software security is hard, and there’s a limited number of people that can look through the source code of an application and find issues,” says Zimmer.

“To make the assumption that major issues in the top 100,000 open source projects are being found with a reasonable frequency would be a mistake, and automated testing can only go so far.”

Source: https://portswigger.net/daily-swig/google-announces-partnership-to-review-security-of-open-source-software-projects

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Google has announced the first open-source quantum resilient FIDO2 security key implementation, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich....

Cyber Security

Google has published its annual 0-day vulnerability report, presenting in-the-wild exploitation stats from 2022 and highlighting a long-standing problem in the Android platform that...

Cyber Security

Twitter faced further criticism this week when Elon Musk’s social networking platform announced SMS-based 2FA will only be available to paying customers going forward....

Cyber Security

HAProxy, the popular open source load balancer and reverse proxy, has patched a bug that could enable attackers to stage HTTP request smuggling attacks. By sending a maliciously...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO