14 DAY TRIAL // In the face of a rising number of attacks against open-source software, large corporations are stepping in to help developers with free services and tools improve cybersecurity, according to Dark Reading.
Google released a new tool for developers that automates the process of safeguarding projects and verifies attributes to ensure that the security of the project has not been compromised. The new security tool is called AllStars and is designed to run tests to determine whether critical aspects have been altered.
AllStars, in conjunction with another Google tool called Scorecard, provides project maintainers with assurance that their security settings are still accurate, according to Jeff Mendoza, engineering lead on AllStars at Google. If developers wish, they can use Scorecard to assess where they stand and then automatically execute the appropriate policies with AllStars.
On the basis of 18 distinct criteria, the Scorecard evaluates projects, such as whether they automatically update dependencies, are actively maintained, and employ an automated vulnerability discovery method to identify easy-to-find flaws.
How does it perform?
According to the OpenSSF announcement, Google made the tool available on Monday as part of an effort to maintain an AllStar instance that anybody can use. The software keeps track of a GitHub repository and checks the project to ensure that no unwanted changes are made. The configuration settings are compared to the project's security policy, and if they do not match, enforcement action can be taken.
Mendoza says, "With the huge popularity of open source, attackers see a compromised project as a way to infiltrate both closed and open systems," adding, "Since open source is rarely a live running system, attacks are on the supply-chain side: either compromising the code base, or injecting a compromise somewhere between the code and where the project is built and used on other systems".