UPDATED 00:24 EDT / DECEMBER 05 2016

INFRA

Google launches new security service for open-source software

Google Inc. is launching a new service aimed at continuously testing open-source software projects for security vulnerabilities.

The new service is called OSS-Fuzz, and is currently available in beta for a select number of open-source projects, which have either been deemed critical to global information technology infrastructure or have a very large user base. Google says the service is the result of several years work and planning alongside the Core Infrastructure Initiative, which is a Linux Foundation-backed organization focused on open-source security, whose members include Amazon Web Services, Cisco Systems Inc., Hewlett-Packard Enterprise Co., IBM Corp. and others.

Google announced OSS-Fuzz in a blog post last week, saying the aim is to provide a “continuous security fuzzing service” for the most vital open-source software projects. Fuzz testing refers to a technique that involves overwhelming software with a large stream of random and malformed data, with the aim of making it crash. It’s one of the most common methods used to spot difficult to find errors like buffer overflows and SQL injections, Google’s blog post says.

recent study by Black Duck software seems to justify the need for this kind of service. In the study, some 65 percent of enterprises admitted to relying on open-source software components to speed up application development, while 55 percent of firms said they also use open-source software in production environments.

“Open source software is the backbone of the many apps, sites, services and networked things that make up ‘the internet,'” Google’s engineers said. “It is important that the open source foundation be stable, secure, and reliable, as cracks and weaknesses impact all who build on it.”

Early tests have proven to be quite positive, with OSS-Fuzz helping to uncover around 150 bugs in a variety of open-source projects so far, Google said. For reasons unknown, Google didn’t specify which open-source projects it tested with OSS-Fuzz, though it did say many of them are “widely used.”

Once a bug has been found, the developers of the software are notified and immediately become subject to Google’s 90-day disclosure deadline for security flaws, after which the vulnerability will be made public.

Image credit: MikeZhang via pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU