Google has launched a new initiative to secure open-source software (OSS) supply chain as cyber-criminals look for vulnerabilities like Log4j and Spring4shell to disrupt key operations.
The packages curated by the Assured OSS service are regularly scanned and analysed for vulnerabilities and are built with Cloud Build including evidence of verifiable SLSA-compliance.
“There has been an increasing awareness in the developer community, enterprises, and governments of software supply chain risks,” the company said in a statement.
The announcement on ‘Assured Open Source Software service’ by Google will enable enterprise and public sector users of open source software to easily incorporate the same OSS packages that Google uses into their own developer workflows.
- Remediation efforts for vulnerabilities like Log4j and Spring4shell, and a massive 650% (year-over-year) increase in cyberattacks aimed at open source suppliers, have sharpened focus on the critical task of bolstering the security of open source software.
- Assured OSS lets organisations benefit from Google’s extensive security experience and can reduce their need to develop, maintain, and operate complex processes to secure their open source dependencies.
- “Assured OSS allows enterprise customers to directly benefit from the in-depth, end-to-end security capabilities and practices we apply to our own OSS portfolio by providing access to the same OSS packages that Google depends on, ” explained the company.
The Assured Open Source Software service is expected to debut in preview in the third quarter of this year, letting organizations who might not have the same resources as the cloud giant incorporate its security-vetted OSS packages into their own developer workflows.
The graphic below illustrates various stages of the software supply chain for open source dependencies, which are checked at every stage by Google.
(Image Courtesy: fossbytes.com)