Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Watch now.

Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

Google is giving its financial backing to the Open Source Technology Improvement Fund (OSTIF), with plans to sponsor security reviews in a handful of critical open source software projects.

Open source software plays an integral role in the software supply chain, and it is incorporated into many critical infrastructure and national security systems. However, data suggests “upstream” attacks on open source software have increased significantly in the past year. Moreover, after countless organizations — from government agencies to hospitals and corporations — were hit by targeted software supply chain attacks, President Biden issued an executive order in May outlining measures to combat it.


Today’s announcement comes less than a month after Google unveiled a $10 billion cybersecurity commitment to support President Biden’s plans to bolster U.S. cyber defenses. As part of its five-year investment, Google said it would help fund zero-trust program expansions, secure the software supply chain, improve open source security, and more.


Intelligent Security Summit

Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.

Register Now

Specifically, Google pledged $100 million to third-party foundations that support open source security.

The first fruits of this commitment will see Google fund OSTIF’s new managed audit program (MAP), with a view toward expanding its existing security reviews to more projects. OSTIF, a nonprofit organization founded back in 2015 to support security audits in open source technologies, initially identified 25 projects for MAP, which it says identifies “the most critical digital infrastructure.” From there, it prioritized eight libraries, frameworks, and apps “that would benefit the most from security improvements and make the largest impact on the open source ecosystem that relies on them.”

These eight projects are: Git, Lodash, Laravel, Slf4j, Jackson-core, Jackson-databind, Httpcomponents-core, and Httpcomponents-client.

It’s worth noting that Google’s investment isn’t entirely altruistic, as its own software and infrastructure relies heavily on robust open source components — the internet giant has announced a slew of similar open source-related security initiatives this year. Back in February, Google revealed it was sponsoring Linux kernel developers, for example, while a few months ago it introduced Supply Chain Levels for Software Artifacts (SLSA), which it touts as an end-to-end framework for “ensuring the integrity of software artifacts throughout the software supply chain.” The company also recently extended its open source vulnerabilities database to cover Python, Rust, Go, and DWF.

Although OSTIF is focusing MAP on just eight projects for now, it hopes to “significantly grow operations to support hundreds of projects in the coming few years.”

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.