Count on Google’s expertise in cybersecurity

Developers and users of open source software can now count on Google to help boost their cybersecurity initiatives. With attention focused on the 650% increase in the volume of cyberattacks aimed at exploiting vulnerabilities in the open source ecosystem by 2021, Google announced the new Assured Open Source Software (OSS) service that will make its own open source packages and libraries available for other organizations to use.

Claiming on its blog to be one of the largest maintainers, contributors, and users of open source, Google says it is deeply involved in helping to make this ecosystem more secure through efforts that include participation in the Open Source Security Foundation (OpenSSF), contributions to the Open Source Vulnerabilities (OSV) database, and OSS-Fuzz. Most recently, Google joined the OpenSSF, the Linux Foundation, and other industry leaders in a meeting to advance initiatives discussed during the White House Summit on Security for Open Source Software in January.

Assured Source Software will allow you to easily incorporate into developer workflows the same packages and libraries that Google uses for open source software security. This Google curated suite has the following features:

• It is regularly checked, analyzed, and tested to identify possible vulnerabilities;
• It has enriched metadata that incorporates container and artifact analysis data;
• It was created using Cloud Build, including verifiable evidence of compliance with SLSA (Supply chain Levels for Software Artifacts), standards checklist, and controls to prevent tampering, improve integrity, and protect packages and infrastructure;
• It is verifiably signed by Google;
• It is distributed from a Google-protected Artifact Registry.

With these elements, Assured OSS enables organizations to benefit from Google’s cybersecurity expertise and reduce the need to develop, maintain, and operate complex processes to protect their open source dependencies.

Assured OSS is expected to be offered in Preview mode in Q3 2022.

In addition, Google and Snyk, a company specializing in secure development solutions, announced their intention to further help developers understand the risks and impacts of their open source dependencies and use Assured OSS to help reduce them. To this end, Assured OSS will be natively integrated into Snyk’s solutions and vulnerabilities, trigger actions and remediation recommendations will be made available to mutual customers in the Google Cloud development lifecycle management and security tools to improve the developer experience.

With this joint initiative, it is expected to reduce the chances of adopting open source software with critical vulnerabilities, more quickly identify the associated impacts of potential flaws, mitigate exposure to new threats, and optimize the automation of remediation activities.

Security at home

The figure below details the various stages in the software chain for detecting open source dependencies. Organizations have very different entry points in this life cycle. Some create packages from source, while others use packages coming from trusted repositories.

Some organizations, including Google, centralize control and actively protect every step of the end-to-end process. Google, for example, starts by maintaining separate secure copies of source code and conducts its own vulnerability scanning. It continually does fuzzing tests of the 550 most widely used open source projects and, in January 2022 alone, found more than 36,000 vulnerabilities.

Recognizing that most organizations don’t have the resources or expertise to do the same for the benefit of open source security, Google has acted to contribute to the ecosystem with initiatives such as the launch of the Assured OSS service.