Google, Microsoft commit $5 million for project to boost security of open source tools

Open Source Security Foundation (OSSF) has announced a new initiative called Alpha-Omega to improve the security of open source software with help from software security experts and automated testing tools. The project will be supported by big tech companies including Google and Microsoft, who have pledged an initial investment of $5 million to help it kick off. 

OSSF said the Alpha team will work on the most critical open source projects and help the maintainers identify and fix new vulnerabilities in open source codes using threat modeling, automated security testing and source code audits. 

The Omega team will use automated tools to identify critical security vulnerabilities in close to 10,000 widely-used open source projects. It will also provide suggestions on automating detection of vulnerabilities and implementing security best practices. 

"Open source software is a key part of our technology strategy, and it's essential that we understand the security risk that accompanies all of our software dependencies,"  Mark Russinovich, chief technology officer at Microsoft Azure said in a statement. 

"Alpha-Omega will provide assurance and transparency for key open source projects through direct engagement with maintainers and by using state-of-the-art security tools to detect and fix critical vulnerabilities," Russinovich added. 

The vulnerability in the Apache Log4j logging software that exposed businesses across the globe to more cyber risks has strengthened demand to make open source tools more secure. Last month, The US government had called a summit with industry stakeholders to discuss security of open source software. Executives from Apple, Alphabet, Amazon, Meta, IBM and Microsoft, Apache Software Foundation, Oracle, GitHub and the Linux Open Source Foundation were invited to the summit. 

According to cybersecurity company CheckPoint, after the Log4Shell vulnerability became public, millions of attacks to exploit the vulnerability were reported from across the world. Overall, in 2021, researchers have seen 50% more attacks per week on corporate networks compared to 2020. Check Point said, cyberattacks increased 50% in 2021 and peaked in December due to Log4j exploits.

Cybercriminals have also intensified attacks on software supply chain networks. According to a January report by Argon Security,  software supply chain attacks grew by more than 300% in 2021. Targeting open source packages and planting malicious codes in them was one of the top tricks to target software supply chains, Argon Security said in the report. 

Though Log4j has raised questions on the security of open source software, security experts believe they are not less secure than proprietary software. 

Jonathan Tanner, senior security researcher at Barracuda said, while open source software gains the majority of the headlines when major security flaws are found, this doesn't mean that it is proportionately less secure and in fact is more likely much more secure than proprietary code or less popular libraries. “Widespread use simply increases the likelihood that vulnerabilities will be found, not necessarily the likelihood that they will exist,” he added.