After pledging $100 million towards improving open source security last month, Google is sponsoring security reviews of eight projects through a partnership with the Open Source Technology Improvement Fund (OSTIF).
OSTIF has initially identified 25 potential projects, all of which are dubbed critical, according to an announcement on the OSTIF website.
The shortlist is derived from the OpenSSF Criticality Score Project, work by the Linux Foundation and Harvard LISH, and a paper from the University of Washington titled ‘Underproduction: An Approach for Measuring Risk in Open Source Software’.
“Once we had constructed a list of projects that we wanted to review, we worked with our advisory council who helped narrow the much larger list down to the 25 highest-priority projects,” OSTIF executive director Derek Zimmer tells The Daily Swig.
“This was a complicated task, because if you ask anyone in open source what the 25 most important open source projects are, you’ll often get completely different lists with little to no overlap, so doing this as a data-driven initiative helped us to get some bedrock to build upon and work toward a consensus.”
Google’s support will go towards reviewing eight libraries, frameworks, and apps, including:
- Git – de facto version control software used in modern DevOps
- Lodash – a modern JavaScript utility library
- Laravel – a PHP web application framework used by many modern, full-stack web applications, including integrations with Google Cloud
- Slf4j – a logging facade for various Java logging frameworks
- Jackson-core and Jackson-databind – a JSON for Java, streaming API, and extra shared components, and the base for the Jackson data-bind package
- Httpcomponents-core and Httpcomponents-client – responsible for creating and maintaining a toolset of low-level Java components focused on HTTP and associated protocols
Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, believes the projects have been well chosen, with both the Jackson-databind component and Lodash having been identified as a highly vulnerable component in a majority of audited applications in the 2021 and 2020 OSSRA reports.
“In both cases, the vulnerabilities in question related to how those core components process user data,” he tells The Daily Swig.
“Given how consumers of open source components often assume those components are released following commercial software paradigms, any security gaps in a foundational component like those being audited by OSTIF have the potential to impact a large number of applications and, by extension, end users.”
Success so far
OSTIF has already had its successes – for example, its end-to-end review of Unbound, an open source DNS resolver used to secure websites, led to the patching of one critical, five high, and five medium severity issues.
“Software security is hard, and there’s a limited number of people that can look through the source code of an application and find issues,” says Zimmer.
“To make the assumption that major issues in the top 100,000 open source projects are being found with a reasonable frequency would be a mistake, and automated testing can only go so far.”