Seeking to reduce the risk of software supply chain vulnerabilities in open source software, Google announces that it will release its own approved open source packages and libraries for other organizations to use.
The company made the announcement in its Google Cloud Blogclaiming that its new Assured Open Source Software (Assured OSS) service will allow enterprise and public sector users to integrate the same open source software packages that Google uses into their own development workflows.
Google’s new cloud service, due in a preview release in Q3 2022, comes amid a huge increase in cyberattacks targeting open source, with recent examples including attacks to exploit the Log4j2 vulnerability against that framework. Java-based open source logging software. which is common on Apache web servers. But it’s not the only one. Supply chain management software provider Sonatype said in its Software Supply Chain Status Report that cyberattacks targeting open source vendors increased 650% year over year in 2021.
Additionally, enterprises today are increasingly using open source software, a trend that has accelerated during the pandemic, according to Red Hat’s State of Enterprise Open Source 2022 report, and a blog post by Red Hat President and CEO Paul Cormier. Indeed, the survey found that 80% of IT leaders expect to increase their use of enterprise open source software for emerging technologies.
Google is certainly not alone in its efforts to fix open source vulnerabilities. The Linux Foundation and the Open Software Security Foundation, with support from 37 companies including Amazon, Google, and Microsoft, recently published a plan to secure open source software.
Google Assured OSS
In his blog announcing the release of Assured OSS, Andy Chang, Group Product Manager for Security and Privacy, wrote, “Google continues to be one of the largest maintainers, contributors, and users of open source and is deeply involved in making the open source ecosystem more secure through efforts such as the Open Source Security Foundation (OpenSSF), Open Source Vulnerabilities Database (OSV), and OSS-Fuzz.
Chang noted that Google’s release of Assured OSS follows other open source security initiatives the company discussed at a meeting in January. White House Open Source Security Summit.
“Open source software code is publicly available, free for anyone to use, modify, or inspect,” Kent Walker, president of global affairs for Google and parent company Alphabet, wrote in a blog post. in January. “Because it’s freely available, open source facilitates collaborative innovation and the development of new technologies to help solve shared problems. This is why many aspects of critical infrastructure and national security systems incorporate it.
But this approach can also pose problems, as noted by Walker.
“There is no official allocation of resources and few formal requirements or standards to maintain the security of this critical code,” he wrote. “In fact, most of the work to maintain and improve open source security, including fixing known vulnerabilities, is done on an ad hoc, voluntary basis.”
This opens up a big area of concern regarding the introduction of vulnerabilities that could be exploited. While some open-source projects have “lots of eyes” working on them and looking for problems, some projects don’t, Walker noted.
Along with its Assured OSS announcement, Google Cloud also announced a collaboration with Snyk, a security platform for developers. Google said Assured OSS will be natively integrated into Snyk solutions for common customers to use when developing code. Additionally, Synk vulnerabilities, trigger actions, and remediation recommendations will be available to common customers in Google Cloud’s security and software development lifecycle tools to improve developer experience, according to Google. .
The collaboration addresses one of the key concerns that surfaced at the White House meeting in January: preventing security flaws and vulnerabilities in open source code and packages, improving the flaw detection process, and correct them, and shorten the response time for distribution and implementation. fixed.
What to read next:
Best practices for measuring the success of digital investments