Google is partnering with Open Source Technology Improvement Fund, Inc to sponsor security reviews of critical open source software.
OSTIF is elated to announce that we are planning to improve security of eight open-source projects thanks to support from the Google Open Source Security Team.
This marks a major success in bringing on large corporate donors to support OSTIF’s model of improving open source software through security reviews and source code audits. A focused, well-scoped review by an experienced team can drive significant and long-lasting improvements in widely used projects. For example, OSTIF’s end-to-end review of Unbound, an open-source Domain Name System (DNS) resolver used in securing websites, resulted in 48 changes that strengthened its security, including finding and patching one Critical, five High, and five Medium severity issues.
Google’s support will allow OSTIF to launch the Managed Audit Program (MAP), which will expand our in-depth security reviews to even more projects vital to the open source ecosystem. Our initial list of 25 MAP projects was identified empirically by research [ 1 ], [ 2 ], [ 3 ] targeted at identifying the most critical digital infrastructure, and cross-referenced with OpenSSF’s Security Scorecards to prioritize projects within the list. Together, these efforts identified eight libraries, frameworks and apps that would benefit the most from security improvements and make the largest impact on the open-source ecosystem that relies on them.
Git is the de facto version control software used in modern DevOps. According to the Criticality Score Index, Git is the second-most critical application in C and the 10th-most critical application across all platforms. In development since 2005, git makes up the foundation of github and gitlab and is undoubtedly one of the most critical pieces of open-source software in the world.
Laravel is a php web application framework that is used by many modern, full-stack web applications, including integrations with Google Cloud. Laravel was chosen for security review due to ubiquity and project age along with a relatively high Criticality Score of 79%. Laravel has at least 9 reported vulnerabilities since 2017 and a Security Scorecard of 58%, making it a good candidate for Security Review and a boost to security posture.
Jackson-core & Jackson-databind
Httpcomponents-core & Httpcomponents-client
We would like to thank the Google Open Source Security Team for helping us scale our impact to not only find bugs but also fix issues across the open-source ecosystem. From here, we hope to significantly grow operations to support hundreds of projects in the coming few years. To reach this goal, we will need support from the communities that rely on this infrastructure, and improve our data to target the best projects for our work. In the end, we believe these combined efforts will lead to a safer open source environment for everyone.