Google Cloud has announced a new open-source software security tool with the goal of improving the security of software supply chains.
The new Assured Open Source Software (OSS) aims to enable enterprises and public sector users of open source software to integrate the same security packages that Google uses into its own development workflows.
Software supply chains, which often rely on open source code to remain flexible and customizable, have become popular targets for cyberattacks as hackers seek to target industries of all kinds.
What’s behind the move?
The move comes after numerous high-profile open source security incidents, including vulnerabilities related to Log4j and Spring4shell.
Google joined the OpenSSF and Linux Foundation for a meeting to advance the open source software security initiatives discussed at the recent White House Summit on Open Source Security.
Google says packages curated by the Assured OSS service will be regularly scanned, analyzed, and fuzz-tested for vulnerabilities and will have corresponding rich metadata that incorporates Google’s container/artifact scan data.
All packages included in the new tool will be built with Google Cloud Build and will include evidence of verifiable SLSA compliance.
Packages will be distributed from a secure, Google-protected artifact registry, with Assured OSS expected to enter preview in Q3 2022.
Google pointed out that it continuously scans 550 of the most commonly used open source projects and claims to have found more than 36,000 vulnerabilities as of January 2022.
In addition, Google also announced a partnership with Israeli developer SNYK’s security platform, which means Assured OSS will be natively integrated into Snyk solutions for joint customers to use wherever they develop. code.
Additionally, the partnership also means that Snyk’s vulnerabilities, trigger actions, and remediation recommendations will be available to joint customers as part of Google Cloud’s security and software development lifecycle.
Security concerns haven’t stopped open source software from attracting the interest of developers around the world.
A survey by Instacluster of application developers found that 45% of respondents recognize the potential of open source software in terms of reducing costs, while 38% recognize its potential in terms of being able to port code more easily. .