Google, Microsoft Invest $5M In Alpha-Omega Project

Google and Microsoft on Tuesday announced an additional $5 million investment in a project that will hep to identify and fix zero-day vulnerabilities and other bugs in open-source software, following a meeting with government and industry leaders at the White House.

The Alpha-Omega Project aims to improve global OSS supply-chain security by working with project maintainers to look for new, as-yet-undiscovered vulnerabilities in open-source software code, and get them fixed.

The recent investment is in addition to another $10 million recurring commitment the two made to Open Source Security Foundation (OpenSSF) last year, along with Amazon, Facebook, and Oracle.

The project has two components — Alpha and Omega.

Alpha will work on “the most critical open-source projects,” helping to identify and fix security vulnerabilities. OpenSSF will identify these projects.  Omega will identify at least 10,000 of the most widely used OSS projects through a suite of software tools, and “apply automated security analysis, scoring, and remediation guidance.”

"Open-source software is a vital component of critical infrastructure for modern society. Therefore we must take every measure necessary to keep it and our software supply chains secure," stated Brian Behlendorf, general manager, OpenSSF. "Alpha-Omega supports this effort in an open and transparent way by directly improving the security of open-source projects through proactively finding, fixing, and preventing vulnerabilities.  This is the start of what we at OpenSSF hope will be a major channel for improving OSS security.”

OSS projects critical to the global infrastructure have become top targets for attacks. For example, the recently discovered vulnerabilities in the Log4j library forced many organizations to race to update and patch applications.

Ariel Parnes, co-founder and COO at Mitiga, which detects and helps companies recover from attacks in the cloud, calls Log4j vulnerabilities the “ultimate gift for cybercriminals.”

The additional investment by Google and Microsoft was made following an open-source security summit hosted by The White House. Members from across the public and private sectors gathered to discuss how to tackle flaws in software. Participants included Apache Software Foundation, Apple, Cloudflare, Meta, Google, IBM, Microsoft, Intel, The Linux Foundation, and many others.

Next story loading loading..