At a time when cyber-attacks are becoming more common, Google has announced a new security tool that aims to increase the security of open source software.
Assured Open Source Software (OSS) allows users to incorporate Google’s proprietary security packages into their own workflows.
Open source software continues to be a popular target for security attacks, and as Google notes in its announcement, the number of cyberattacks targeting open source vendors has increased by 650% year on year. Since software supply chains often use open source code to be accessible and easy to modify, they are particularly vulnerable to these types of attacks.
Google is far from the only entity concerned with the fact that open source software, despite its many advantages, can be easily abused. The company, along with OpenSSF and the Linux Foundation, is following up on security initiatives highlighted at the recent White House Summit on Open Source Security. Microsoft also recently announced a new cybersecurity-based initiative.
There have been plenty of high-profile cybersecurity vulnerabilities in the recent past, such as Log4j and Spring4shell. In an effort to prevent such attacks, Google has now introduced Assured OSS.
As part of Assured OSS, Google hopes to enable both business and public sector users to incorporate the Google OSS packages into their own developer workflows. On its own side, the company promises that the packages curated by the service will be regularly scanned, fuzz-tested and analyzed to ensure no vulnerabilities can slip past its defenses.
All packages are built with Google’s Cloud Build and thus come with verifiable SLSA compliance. SLSA stands for Supply-chain Levels for Software Artifacts and is a well-known framework that aims to standardize the security of software supply chains. Each package is also verifiably signed by Google and comes with associated metadata that incorporates Google’s Container/Artifact analytics data.
To further promote cybersecurity, Google has also announced a new partnership with SNYK, an Israeli developer security platform. Assured OSS will be integrated into SNYK solutions from the get-go, enabling customers of both companies to benefit.
Google pointed to a staggering statistic: Among the 550 most common open source projects it regularly scans, it has managed to find more than 36,000 vulnerabilities as of January 2022. That alone shows how important it is to protect the vulnerability of these projects, since open-source software is popular, necessary and can no longer be ignored. Perhaps Google’s Assured OSS can make it more secure for everyone who takes advantage of it.