Finding Vulnerabilities in Open Source Projects
The Open Source Security Foundation announced $10 million in funding from a pool of tech and financial companies, including $5 million from Microsoft and Google, to find vulnerabilities in open source projects:
The “Alpha” side will emphasize vulnerability testing by hand in the most popular open-source projects, developing close working relationships with a handful of the top 200 projects for testing each year. “Omega” will look more at the broader landscape of open source, running automated testing on the top 10,000.
This is an excellent idea. This code ends up in all sorts of critical applications.
Log4j would be a prototypical vulnerability that the Alpha team might look for —an unknown problem in a high-impact project that automated tools would not be able to pick up before a human discovered it. The goal is not to use the personnel engaged with Alpha to replicate dependency analysis, for example.
Quantry • February 2, 2022 10:59 AM
ht tps://
openssf.org/press-release/2022/02/01/openssf-announces-the-alpha-omega-project-to-improve-software-supply-chain-security-for-10000-oss-projects/
“providing stakeholders with a better understanding of the security of the open source project they depend on”
Humbling Open Source in the process, and providing
zero-days for key players.
“Microsoft and Google’s support of the Alpha-Omega Project with an initial investment of $5 million and committed personnel is jump-starting the initiative.”
doesn’t sound just a little odd with
those names first at the gate:
TWO OPENLY COMMITTED to HIDING THEIR SOURCE???
Woolvz gaurding the chicken coup. I feel safer now.