Google has partnered with the Open Source Technology Improvement Fund to sponsor security reviews for eight open-source projects.
According to an announcement made by OSTIF, 25 potential projects were initially identified by OSTIF. All of them have been dubbed critical.
The OpenSSF Criticality Score Project was used to create the shortlist. Harvard LISH and the Linux Foundation also worked on it.
A paper by the University of Washington entitled ‘Underproduction. An Approach for Measuring Open Source Software Risk’ is used to generate the list.
OSTIF already has its successes – such as the end-to-end review for Unbound, an open-source DNS resolver that is used to secure websites, resulted in five high-severity, one critical and five medium-severity issues being fixed. Software security can be difficult.
There are only a few people who can go through an application’s source code and find problems.
It would be wrong to assume that major problems in the top 100,000 open-source projects are being discovered with reasonable frequency. Automated testing can only go so far.