The primary goal of the SOS program will be to ensure that projects are protected from attacks on the supply chain.
Google has announced a new funding pilot program, under which the company will provide $ 1 million to strengthen the security of critical open source projects. The Secure Open Source (SOS) program will be managed by the Linux Foundation, while the money will be provided by the Google Open Source Security Team (GOSST).
Through the program, Google plans to sponsor project developers so that they can invest in solutions to harden their code. First of all, projects that are widely used in many industries and play a key role in the software ecosystem will receive funding.
SOS’s primary focus will be to ensure that projects are protected against attacks on applications and the supply chain.
As reported on the official website of the initiative, the SOS commission will be interested in solutions to accomplish tasks such as:
- Strengthening the security of the software supply chain, including CI / CD and distribution infrastructure;
- Using the signature and verification of software artefacts;
- Improving project test results with the OpenSSF Scorecard tool for assessing security risks of code repositories and dependencies;
- Using OpenSSF Allstar and fixes for discovered security issues;
- Obtaining a CII Best Practice Badge.
The amount of sponsorship will be determined based on how complex the project is and what impact the proposed solutions will have.
$ 10,000 or more will receive complex, continuous improvements that have a large impact on the security of projects and eliminate major vulnerabilities in the code and supporting infrastructure.
$ 5,000-10,000 will be allocated to mid-range improvements that provide compelling security benefits.
$ 1-5 thousand projects will receive for improvements of medium complexity and impact.
$ 505 will be allocated for small improvements that still have value in improving security.
“$ 1 million is just the beginning. We see the SOS pilot program as a launching pad for future events that will hopefully bring other large organizations together and develop into a stable long-term initiative under the umbrella of OpenSSF, ”said Google.
The Open Source Security Foundation (OpenSSF) is a cross-industry forum for collaborative efforts to improve the security of open source software. The founding board members include GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation, and Red Hat.
Catch up on more articles here
Follow us on Twitter here