Google last week announced a new service aimed at continuously testing open-source software projects for security vulnerabilities. Called OSS-Fuzz, it is currently available in beta for a select number of open-source projects, which have either been deemed critical to global information technology infrastructure or have a very large user base. Open source security team at experts Black Duck commented below.
Open Source Security Team at Experts Black Duck:
“OSS-Fuzz is a great new resource for the open source community to improve the quality of their components and identify vulnerabilities very early. One outcome of this effort will be to increase user confidence in both open source software development as well as with specific components.”
“OSS-Fuzz potentially could become an essential tool for all open source projects during their development cycles, but will also increase the need for robust management systems. Many (Google) eyes will undoubtedly detect new vulnerabilities in older applications, which will flood the OSS community with new known risks to overcome.”
“Vulnerability reporting is a crucial component of any open source risk management to determine if any component used in the development of a product has disclosed vulnerabilities; even long after the product is released. Open source “consumers” will still need to be vigilant and take ownership of open source vulnerability management for their applications since there are millions of open source components and only a small portion of them will be tested with OSS-Fuzz.”