Google has launched a new project for continuously testing open source software for security vulnerabilities.
The company’s new OSS-Fuzz service is available in beta starting this week, but at least initially it will only be available for open source projects that have a very large user base or are critical to global IT infrastructure.
Google developed the program over the past few years along with members of the Core Infrastructure Initiative, a Linux Foundation-organized effort focused on strengthening security within the open source community. Members include Amazon, Cisco, Google, HP, IBM and Fujitsu.
The objective in launching OSS-Fuzz is to provide a continuous security fuzzing service for vital open source software, multiple Google engineers explained in the company’s Testing Blog this week. Eventually, the goal is to try and make security fuzzing a standard part of the open source development environment to ensure bugs are quickly identified and remediated.
Fuzzing is a frequently used technique for uncovering coding errors and implementation bugs in a software product by barraging it with a large stream of random and malformed data to see if it will crash. Developers and testers often use fuzzing tools to uncover hard-to-find errors including buffer overflow errors, SQL injection and other issues quickly.
“Open source software is the backbone of the many apps, sites, services and networked things that make up ‘the internet’,” the Google engineers said. “It is important that the open source foundation be stable, secure, and reliable, as cracks and weaknesses impact all who build on it.”
Google’s OSS-Fuzz project will use multiple fuzzing engines and so-called Sanitizers or testing tools for C++ to run continuous security tests on open source projects. Initially, OSS-Fuzz will use the libFuzzer engine and a fast memory error detection tool called AddressSanitizer and run its fuzzing service using a massively distributed environment.
Initial tests with the service have yielded positive results, according to Google. In early tests, OSS-Fuzz has already uncovered some 150 bugs in multiple open source projects many of which are widely used.
Beyond saying that only large open source projects and those of critical infrastructure importance will be considered for OSS-Fuzz, Google has not offered any examples of the specific projects it will consider for inclusion initially.
Projects that are signed up for the project will be automatically subject to Google’s 90-day disclosure deadline for any security flaws that are discovered in their software.
The security and reliability of open source software has become an increasingly important issue for enterprises. In a survey of open source use among enterprises conducted by Black Duck software earlier this year more than 65 percent of the respondents reported that they relied on open source components to speed up development times while about 55 percent said they used open source software in production environments.
At the same time, more than 50 percent of the companies in the survey said they had no formal policy for approving or selecting open source code while nearly the same number said they had no processes in place for tracking or controlling the use of open source software in their environment.
Security analysts believe that the untrammeled use of open source software has significantly heightened security risks for organizations.
