Google’s vested interest in Linux security

Google is boosting its financial support for developers working to secure Linux kernels, signaling its growing commitment to reinforcing open-source security. This move is timely, as threats targeting Linux have escalated, with hackers leveraging advanced techniques, including malware written in the Go programming language.

Alarming Growth in Malware Attacks

The prevalence of malware has surged dramatically, with incidents involving infected code rising by 500% over the past year—a staggering 2,000% increase compared to 2017. Go’s flexibility enables attackers to target Windows, Mac, and Linux systems using the same codebase. Additionally, Linux-related malware families saw a 40% uptick in 2020 alone, reflecting a widening security gap as cloud adoption accelerates.

Rising Concerns About Linux Vulnerabilities

Brandon Edwards, chief scientist at Capsule8, a company specializing in Linux-based production environments, anticipates that the rise in Linux vulnerabilities will continue. He highlights the challenges of securing kernel code, which often involves prolonged review and approval processes.

Balancing Security and Visibility in Open Source

Edwards emphasizes the importance of maintaining code visibility in open-source projects. He warns that removing visibility under the pretext of enhanced security could be counterproductive. Security measures, though crucial, can often be bypassed. However, proper visibility ensures that any malicious activity leaves traces, enabling early detection.

Developers must strike a balance between mitigation strategies and maintaining observability to catch potential threats effectively. Despite biases in designing observability tools, they often uncover unanticipated activities, enhancing overall security.

Google’s Role in Open Source Security

Google recently announced funding for two full-time Linux security developers to focus on kernel security, underscoring its commitment to bolstering open-source initiatives. The company has a history of supporting projects like the Python Software Foundation to improve supply chain security and is a founding member of the Open Source Security Foundation (OSSF).

Dan Lorenz, Google’s open-source security lead, highlighted the company’s responsibility to ensure the secure use of open-source software across its platforms, including Chrome, Android, and cloud services.

Recent High-Profile Security Incidents

A notable example of vulnerabilities in the open-source ecosystem was the compromise of the PHP Git server. Hackers used stolen credentials to attempt injecting malware into the PHP codebase. While the incident didn’t reach end users, it underscored the critical need for robust security in software supply chains.

Addressing Open Source Security Challenges

Lorenz stressed that all components of the software supply chain, from build systems to artifact repositories, should be treated as critical. The PHP incident highlights how proactive measures can mitigate potentially severe consequences.

Big Tech’s Role in Strengthening Open Source

Lorenz believes that supporting existing maintainers and exploring innovative approaches like memory-safe programming languages are vital. While fuzzing tools help detect bugs, new development methodologies are needed to prevent errors from occurring in the first place.

The security of open-source software requires industry consensus and collaborative efforts to address challenges such as supply chain management, identity verification, and secure build pipelines.

The Growing Importance of Open Source Security

With an estimated 80% of modern systems relying on open-source code, prioritizing its security is more critical than ever. While industry attention has increased, Lorenz stresses the need for unified action to build a secure and resilient open-source ecosystem.