Google Cloud will offer a secure open source software service
After implementing several internal security controls on the open source software (OSS) it uses, Google Cloud will offer a secure OSS service containing these products.
The Assured Open Source Software service is set to debut in preview in the third quarter of this year, allowing organizations that may not have the same resources as the cloud giant to integrate its secure OSS packages into their own development workflows. .
The graphic below illustrates the different stages of the software supply chain for open source dependencies, which are verified at each stage by Google.
“In our case, we start by keeping separate secure copies of the source code for our dependencies and perform our own vulnerability analysis,” Google said. “We are continually fuzzing 550 of the most commonly used open source projects, and in January 2022 found over 36,000 vulnerabilities. This makes us one of the biggest contributors to the OSV [Open Source Vulnerabilities database].” Several other checks are also performed throughout the workflow.
Google said that packages curated by the Assured OSS service:
- are regularly scanned, analyzed and fuzz-tested for vulnerabilities
- have corresponding rich metadata incorporating container/artifact analysis data
- are built with Cloud Build, including proof of verifiable SLSA compliance
- are verifiably signed by Google
- are distributed from a secure artifact registry protected by Google
Like this list of ADTmag articles show, risky free software has been a problem for many years:
More recent Virtualization and cloud review the articles reveal an improving situation, but still a mixed bag on the open source security front:
The new Assured OSS service should further improve the situation.
“We recognize that most organizations don’t have the resources or experience to build and operate such a comprehensive program,” Google said. “Instead, their development teams can individually decide where to get third-party source code and packages, how they’re built, and how to redistribute them within their own organizations based on their goals, threat model, and risk and their resources. However, the lack of an end-to-end process creates risk exposure every step of the way.”
Google also announced a related partnership with Snyk, a cybersecurity company specializing in cloud computing, to help developers understand the risks associated with using open source dependencies, in which:
- Assured OSS will be natively integrated into Snyk solutions for joint customers to use wherever they develop code.
- Snyk vulnerabilities, trigger actions, and remediation recommendations will be available to common customers in Google Cloud’s security and software development lifecycle tools to improve the developer experience.
Organizations – whether business or public sector – can complete a form to learn more about the upcoming Assured OSS service.