INFRA
INFRA
INFRA
Google launches new security service for open-source software
Google Inc. is launching a new service aimed at continuously testing open-source software projects for security vulnerabilities.
The new service is called OSS-Fuzz, and is currently available in beta for a select number of open-source projects, which have either been deemed critical to global information technology infrastructure or have a very large user base. Google says the service is the result of several years work and planning alongside the Core Infrastructure Initiative, which is a Linux Foundation-backed organization focused on open-source security, whose members include Amazon Web Services, Cisco Systems Inc., Hewlett-Packard Enterprise Co., IBM Corp. and others.
Google announced OSS-Fuzz in a blog post last week, saying the aim is to provide a “continuous security fuzzing service” for the most vital open-source software projects. Fuzz testing refers to a technique that involves overwhelming software with a large stream of random and malformed data, with the aim of making it crash. It’s one of the most common methods used to spot difficult to find errors like buffer overflows and SQL injections, Google’s blog post says.
A recent study by Black Duck software seems to justify the need for this kind of service. In the study, some 65 percent of enterprises admitted to relying on open-source software components to speed up application development, while 55 percent of firms said they also use open-source software in production environments.
“Open source software is the backbone of the many apps, sites, services and networked things that make up ‘the internet,'” Google’s engineers said. “It is important that the open source foundation be stable, secure, and reliable, as cracks and weaknesses impact all who build on it.”
Early tests have proven to be quite positive, with OSS-Fuzz helping to uncover around 150 bugs in a variety of open-source projects so far, Google said. For reasons unknown, Google didn’t specify which open-source projects it tested with OSS-Fuzz, though it did say many of them are “widely used.”
Once a bug has been found, the developers of the software are notified and immediately become subject to Google’s 90-day disclosure deadline for security flaws, after which the vulnerability will be made public.
Image credit: MikeZhang via pixabay
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
