Google has launched the Secure Open Source — SOS — pilot program, seeding $1 million to the Linux Foundation to offer incentives as high as $10,000 for developers to write more secure code for open-source projects.
In a blog post, Google said it will consider the guidelines established by the National Institute of Standards and Technology’s definition in response to the recent Biden administration executive order on cybersecurity, along with the following criteria:
The project’s impact:
The project’s rankings in existing open source criticality research:
Google understands that incentivizing secure development for open source has potential massive benefits for the entire ecosystem, said Archie Agarwal, founder and CEO at ThreatModeler.
“In recent times, far too often breaches have occurred because of vulnerabilities in these underlying open-source code libraries,” Agarwal said. “It’s heartening to see Google aiming straight for the heart of the problem by funding the SOS program. I sincerely hope this $1 million investment is only the beginning and the success of the project drives larger contributions from Google, encouraging other organizations to do likewise.”
Open-source likes to claim that any vulnerability gets found and fixed quickly because of the diversity of the distributed development team, said Saryu Nayyar, CEO at Gurucul. While it’s true in some cases, it’s probably not in others, depending on the project, Nayyar said.
“So Google’s SOS pilot program is an interesting way of hardening up open-source software, by paying grants to projects for more secure software,” Nayyar said. “While it’s not clear that many open-source projects are motivated by financial rewards, it’s an intriguing way of encouraging better software in the overall software supply chain.”
John Bambenek, principal threat hunter at Netenrich, said the consequence of open-source software becoming critical components of so many applications is that often there’s no effective product security team that can help drive security updates — or routine security enhancements.
“Google and other companies that rely on these projects can step into the gap by incentivizing developers to help create better code or letting their staff contribute enhancements during their corporate work time,” Bambenek said. “It’s a win-win for everyone involved.”
Doug Britton, CEO of Haystack Solutions, wonders if the industry can rely on these altruistic efforts to ensure the stability of our digital infrastructure. Britton said if economic incentives power protection, there are also economic incentives powering bad actors. So Briton poses the question: If a researcher gets offered $10,000 for the discovery and patch of a high impact vulnerability, what competing incentives do malicious hacking groups offer?
“In any case, this is a positive effort and we hope it’s further supported by other top firms,” Britton said. “We believe in a strong cybersec community and encourage Google to also continue to invest in the pipeline of talent in the cybersecurity marketplace.”
Companies should consider third-party tools that can scan for code defects in SAP business functions.
Security researchers say managing hybrid- and multi-cloud environments has become more complex than ever – and that’s why so few are confident of security in the cloud.
Approov plans to expand its staff fivefold in the next few years as it focuses on using the cloud to protect API secrets for customers.
Copyright © 2022 CyberRisk Alliance, LLC All Rights Reserved This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Note that any programming tips and code writing requires some knowledge of computer programming. Please, be careful if you do not know what you are doing…